How to Keep your Customers’ Data Secure?

According to CNews, the number of user data stolen by cybercriminals has quadrupled over the past year. The Internet business has to ensure customer data security and ensure transparent and confidential data collection. We’ll tell you about the best practices for the protection of personal data.

Depending on the specifics of the online business, personal data requests may vary. In some cases, a client's name and email are enough. For other companies, you’ll need an ID card, address, registration, phone number, etc.

In 2021, users don't like sharing personal data. No wonder. Users' data become a target for fraudsters.

Your task as a business owner is to ensure the maximum protection of your consumers' data.

In this article, we will give 10 practical tips for protecting users’ data. You can combine several ways to get high security.

Use security analysis tools

Use special automated services to analyze web applications and websites for vulnerabilities. Such services perform cracking tests, for example, using SQL injection.

We have compiled a list of free security analysis tools.

Applications and frameworks

1. OpenVAS scans hosts for vulnerabilities and allows you to manage exposures.
2. The OWASP Xenotix XSS Exploit Framework scans the resource for the possibility of exploiting XSS vulnerabilities.
3. Approof from Positive Technologies checks a web application’s configuration, scans for vulnerable components, insecure, sensitive data, and malicious code.

Online services

1. SecurityHeaders.io checks for the presence and correctness of the server response headers responsible for the security of the web application.
2. Observatory by Mozilla scans the resource for security issues. In addition to its results, when choosing the appropriate option, it collects and adds analytics from third-party security analysis services to the report.
3. One button scan scans resource components for vulnerabilities: DNS, HTTP headers, SSL, sensitive data, services used.
4. The CSP Evaluator verifies that the content security policy (CSP) is well written and XSS resilient.
5. SSL Server Test analyzes the SSL configuration of a web server.
6. ASafaWeb checks for common vulnerabilities in the configuration of sites written in ASP.NET.
7. Snyk scans JavaScript, Ruby, and Java applications for vulnerabilities and fixes security issues as needed. It integrates with the GitHub repository for automatic verification and notifies about the found vulnerabilities.

Please read the terms of use before scanning a web application with online services. Some of them publish reports on verified sites in the open.

Automated test results are confusing as they show all kinds of potential threats. But an explanation is attached to every problem identified. Analyze and correct critical comments first.

After you have made the recommended security changes to your application, rescan your application to make sure you took the correct action.

If automatic verification is not enough, manually hack your resource by changing POST and GET requests’ values. A debug proxy server (such as Fiddler) can help here, as it intercepts the importance ​​of HTTP requests between the browser and the server. Pay special attention to forms - try to bypass validation to implement XSS injection.

If your site has pages that are only accessible after authentication, try impersonating a different user. To do this, change the URL parameters (for example, user ID) or cookie values.

Protect user data with HTTPS

HyperText Transfer Protocol Secure (HTTPS) is an HTTP extension that supports encryption and protects user data in transit over the Internet. HTTPS guarantees the integrity and confidentiality of communication with the server. The use of HTTPS becomes mandatory in 2021.

Use HTTPS if users send personal data to the server: credit card information, personal data, and visited pages’ addresses. If, when sending data from the authorization form, cookies are set, which are then sent with each request to the server, an attacker can obtain them and forge a request. As a result, it will intercept the user's session. To prevent this, use HTTPS on all pages on your site.

It's simple: an SSL certificate is generated for free (for example, on Let’s Encrypt). For most platforms, tools for automatically obtaining and installing a certificate have been created. All that remains is to enable HTTPS support on the server.

Google has announced plans to give sites using secure connections an advantage in search results.

If HTTPS is already configured, it is good practice to use HTTP Strict Transport Security (HSTS), a server response header that prevents the domain from using an unsecured connection.

Prevent SQL Injection

SQL injection executes an arbitrary query against the application database using a form field or URL parameter. If you are using Standard Transact SQL, it is possible to insert malicious code. As a result, table data will be received, changed, or deleted. To prevent this, use parameterized queries, which are supported by most web programming languages.

Prevent cross-site scripting

Cross-site scripting (XSS) is a type of attack on web resources that injects malicious code into a website page that runs on the user's computer, modifies the carrier, and transfers the stolen information to the attacker.

For example, if there is no input validation on the comment page, an attacker injects malicious JavaScript. As a result, the code is executed for the users who view the comment, and the authorization data from the cookies are sent to the attacker.

Modern web applications are especially susceptible to this type of attack, where pages are built from user-generated content, interpreted by front-end frameworks like Angular and Ember. These frameworks have built-in cross-site scripting protection, but mixing server-side and client-side content shaping creates new complex attacks: injecting Angular directives or Ember.

When checking, focus on user-generated content to avoid misinterpretation by the browser. It is similar to SQL injection protection. When generating HTML code dynamically, use special functions for changing and retrieving attribute values ​​(for example, element.setAttribute and element.textContent) and templating engines that automatically escape special characters.

Content Security Policy (CSP) is another tool for protecting against XSS attacks. CSP - server headers that determine the whitelist of sources from where data loading for different types of resources is allowed. For example, they prevent scripts from running from a third-party domain or disabling the eval () function. CSP policies make it impossible to execute even if malicious code is injected into a page. The official Mozilla website hosts a CSP manual with configuration examples.

Check and encrypt passwords

Store passwords as a hash, and it is better to use one-way hashing algorithms such as SHA. In this case, hashed values ​​are compared to authorize users. Suppose an attacker breaks into the resource and obtains hashed passwords. In that case, the damage will be reduced because the hash has an irreversible effect, and it is almost impossible to get the original data from it. But hashes for popular passwords can be easily searched through a dictionary, so also use a "salt" unique for each password. Then cracking a large number of passwords becomes even slower and more computationally expensive.

As for validation, set a limit on the minimum password length and check for matches with the login, e-mail, and site address.

Fortunately, most CMSs provide security policy management tools, but sometimes additional configuration or module installation must use the salt or set the minimum password complexity. When using .NET, it is worth using membership providers because they have built-in security with many settings and ready-made elements for authentication and password change.

You can find out more tips for protecting user data in the original article “How to Keep your Customers’ Data Secure?”

If you want to create a secure website or mobile application, you can leave a request on the website, and Sannacode specialists will offer you the best solution. Also, we are the developer of major government projects. These are thousands, millions of real people whose personal information is now in a safe place. And this is more revealing than any advertisement. Check it out for yourself.