The first step in securing customer information as a company is to realize that you are a target.

Any company that collects large data sets on their customers, at one point or another, will be the target of someone trying to steal that information.

A client we work with recently came under a sophisticated attack on their web forms in an effort to steal large sets of user data. The client runs a large marketing website where lead generation reigns supreme, so the attack was an attempt to retrieve their contacts and personal information through an injection attack on their web forms.

The attack was unsuccessful, however, it prompted us to do an extensive audit of our web security. Through that experience, we’ve compiled a list of the top 4 tips to secure your web forms.

Let’s review.

1. Leverage multiple layers of web security

With all the different types of web attacks we’re seeing today, it’s important to have multiple layers of security throughout your technology stacks to mitigate the risk. You are not going to be able to reasonably prevent all types of attacks — which sounds contrary to the point of this article — but it’s a fact that new attacks are constantly emerging and you won’t always be able to stay ahead.

So, if we’re going to suffer web attacks regardless, what can we do? The best we can do is put forth as many measures as possible for the most common and potentially dangerous attacks based on the types of data your organization is managing, the time/budget we have to spend on security, and the potential consequence of an information breach. It’s a delicate balancing act that must be actively managed.

Good security correlates with more preventative measures.

At the least, you should:

• Have some sort of request throttling to prevent too many requests originating from a specific address (DDoS).
• Leverage a modern bot-detection tool such as the popular ReCaptcha by Google or a standard honey-pot field. (Why not both?)
• Validate user input on both the client and server to prevent bad input.
• Keep all systems up to date with fixes for the latest vulnerabilities and attacks.

2. Thorough logging and auditing

Here’s the real kicker — even with all these security practices followed, you are still going to suffer attacks.

Even though there are massive efforts and funds spent on preventing attacks, an opposing effort is dedicated to circumventing the same security measures. It’s a never-ending game of cat and mouse.

It is therefore incredibly important that detailed logging and auditing is in place so that when an attack does occur, you can trace through the user’s actions in order to assess what they were able to get access to. This piece is critical in helping you and your organization’s security teams figure out if there is a real breach and user data leaked. If proper logging and auditing is not setup, backtracking the attackers’ steps will be impossible.

3. Be proactively overreactive

Probably the most important tip in this list is being proactively overreactive when it comes to security. It’s impossible to try to rationalize the motivations of some of the attacks you’ll experience; if someone can spam-submit your web forms thousands of times without being throttled, they will. Some attacks have a pretty clear agenda, such as stealing personal data. But often times, it’s not that easy to imagine the types of security concerns that you may run into.

Frequently, we see attempts to:

• Overload and crash websites and applications through distributed denial-of-service attacks.
• Inject code into forms in an injection attack to steal user data.
• Inject code into websites (in a cross-site scripting XSS attack) to impersonate another user.

Consider the following in order to be proactive when it comes to getting ahead of form attacks:

• Setup early detection through logging tools, such as Splunk, which offer alerts for log anomalies. i.e. Too many requests from a user within a certain interval.
• Ensure all storage is backed up and the back-up strategies are routinely carried out in fire drills. A back-up is only a back-up if it works.
• Establish a simple communication process for when an attack occurs. Who needs to be informed? IT Security? Managers?

Did you know that if your organization suffers a data breach, there could be legal implications and fines issued barring a press release notifying the public of the breach? Just another reason to ensure you have some sort of early detection measures.

4. Stay up to date on security practices

Our final point is the most straightforward, but one of the most difficult to carry out. Staying up to date on security is hard. Information is so accessible that it pushes forward technology and security, but also provides new opportunities and tools for sophisticated web attacks. This makes it hard to keep up.

Web security is a never-ending game of cat and mouse, but here are some the things you can do to stay up to date:

• Keep systems up to date with fixes for the latest vulnerabilities and attacks.
• Leverage available tools/technology and benefit from economy of scale. The AWS team spend millions staying ahead of and solving security issues, so take advantage of available Cloud services, networking tools, or any software which offers security solutions built by teams who focus on security.
• Consider an audit of your security practices through third-party services, or hold a hackathon within your dev team and gamify looking for vulnerabilities.

Concluding thoughts

Security is a big topic and most organizations struggle with it.

I’ve highlighted some of the key areas to consider when thinking through your web security, but each organization is different. It’s impossible and naïve to assume that all companies spend equal time on security because the truth is, it depends on the types of data you are managing. At the very least, the above are basic security practices all organizations should adhere to.