Web Security Compliance Standards & How to Follow Them
With the internet constantly evolving in both technology and content, it’s important to keep up with web security standards. One cut corner or overlooked technology could mean insecure browsing, email, or exchange of information on any platform.
For example, if a banking website does not securely encrypt its traffic, it would be incredibly easy for a third party to see the information being sent back and forth. Passwords, account numbers, and other personal data could be lost if a business’ website is not secure.
Thankfully, most people don’t have to do much to keep up with these standards. The web browsers we use take care of most of the intricacies on the user side of things. For those who deal directly with websites and servers, there are tools like Compliance Dashboard to help with maintaining these standards.
Here is an example:
Compliance Dashboard is a web-security tool that evaluates data on six different standards and reports on the compliance of the site being reviewed.
For an introduction to each of these categories, visit the Compliance Dashboard information page.
Here is a breakdown of each test category and what it means for security on the modern internet:
HTTPS (HTTP Secure)
All data sent over the internet is sent in packets - comparable to letters in the mail. HTTP itself is just a method of transportation for these packets. When data is transferred over HTTP, it normally is in plaintext - readable by anyone who can see it. As this is obviously not private or secure, the standard to remedy this is to use HTTPS, which encrypts every packet so only the intended recipient can read it. This is like comparing a postcard to a letter in an envelope (where the envelope is a locked safe).
Take a look at this article for an introduction to HTTP.
HSTS (HTTP Strict Transport Security)
Just because a website can transfer data securely over HTTPS doesn’t mean it always will. HSTS is a way for the server to tell clients that it supports communicating strictly over HTTPS and that the insecure HTTP is not necessary. When a web browser sees this is supported, it will then only communicate with the server through HTTPS.
DNSSEC (Domain Name System Security Extensions)
With such a vast number of websites on the internet, it can be hard to guarantee authenticity and trustworthiness of a domain. This is where DNSSEC comes in. Built on the “chain-of-trust” concept, this is a way for reputable trustworthy entities to deem others as ‘safe’. For example, if a domain is widely recognized and trustworthy, it can sign the certificates for other domains, showing that it supports them, and they are also to be trusted. They, in turn, can sign other domains as being trustworthy. If one link in this chain of trust is broken, any domains under that link may no longer be legitimate.
Take a look at this article for an introduction to DNS.
IPv6 (Internet Protocol version 6)
With the increasing number of devices on the internet, the initial limit for addresses is being reached. In other words, there is a finite amount of devices that can be connected to the internet (theoretically 4,294,967,296, but technically fewer) which is little more than half the total population of the earth at the time of this writing. This easily becomes a problem when people have multiple devices or even entire networks.
Without being able to predict the sheer number of devices and users, the original address system, IPv4, was not designed with that capacity in mind. Because of this, many entities are adding support for IPv6, which supports many, many more possible addresses (340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact). This is a growing protocol that eventually will replace IPv4.
Take a look at this article for an introduction to IPv6.
SPF (Sender Policy Framework)
With email being a common medium for scams and other malicious behavior, this creates a need for standards like SPF, which provides a consistent way to tell if an email comes from a legitimate source, or if it is probably spam.
The way it works is in two parts: first, the email domain publicly states what physical servers are authorized to send mail on its behalf. Then, when an email is received from that domain, the email client can check the domain’s SPF record to make sure that email is from an authorized server. This prevents email address forgery and ensures the message came from the source it claims.
This refers to the actual server that a client connects to. Ideally, this should be a content distribution network (CDN), which can handle the extreme amounts of traffic generated by popular websites. If the server cannot support the traffic, it can crash, and many bad things can happen. Using a CDN also protects against some common malicious acts like Denial of Service (DoS) attacks.
While these are just a handful of the different security standards, Compliance Dashboard has many more tests and features being worked on. For government organizations required to comply with these standards, small businesses, and everything in between, this tool can help make securing your website simple and manageable.