All nominated products and services underwent an intensive review by subject matter experts, analysts, journalists, and others with deep experience in the field. We took the panel of experts thru a guided demo of our Advanced Secure Hosting solution. Collective feedback was positive and all the judges were receptive to our positioning stating FireHost is “a complete solution for hosting servers built with REAL security in mind.” FireHost offers a “well thought out security plan for hosting servers” and provides “best in class” hosting solutions.

We were selected from 785 nominations submitted by 374 companies in 55 categories, and we’re confidently optimistic about the second round of voting which enables SIIA members to determine this season’s award winners. Voting will begin Tuesday, March 2, 2010 and the winners will be announced in May, so wish us luck.

This is the twenty-fifth year The Software & Information Industry Association (SIIA) have recognized excellence in the software, education and information industries through the CODiE Awards program. Visit the CODiE or SIIA websites to learn more about each organization.

The wheels of the business plan were put in motion when Jay Osterholt witnessed his sister and nephew in crisis while on vacation. Away from home, Mr. Osterholt’s sister was ill prepared to answer all the Doctor’s questions accurately and thoroughly. Convinced there was a better way to handle these situations, Mr. Osterholt wanted to help ensure this didn’t have to happen again to his family or others.

Less than two years later, the web-based service is live and empowering parents to access and share critical information about their little ones 24/7/365. My Child’s Locket can accommodate multi-child households and has the capacity to store numerous, important details about each individual.

As a web based service, My Child’s Locket is susceptible to bad things like identity theft schemes, SQL injections, XSS (cross site scripting) and DDoS attacks, and more. Aware of the risks, Mr. Osterholt made finding the right secure, hosting partner a big priority. After a thorough search, he chose us.

Click Here to read MyChild’s Locket’s press release about launching their service on FireHost secure servers.

Our virtualized servers provide secure, scalable hosting solutions to small and medium sized businesses around the globe. Thru the use of new, green hosting technologies, we’re helping reduce e-waste: energy consumption, CO2 emissions, hardware waste, and more.

Click Here to learn more about how FireHost leverages virtualization to save a few IT dollars while helping save the planet.

Cloud computing and cloud hosting practices have been around for some time, probably longer than you think. Long enough, in fact, to gain significant awareness and pique the interest of anyone starting, or growing a business. “I must have everything ‘in the cloud’” these entrepreneurs say!  While the definition and clear-cut use case for cloud hosting remains elusive, the promise of cost savings, “fair” usage based billing, and unlimited scalability has startups love struck.

Before you stroll thru the proverbial tunnel, do the modern dating ritual – a background check. Many companies (large and small) have come before you, and startups that are entertaining a cloud hosting solution today have many resources and case studies to help answer the question, “Is cloud hosting the right solution for my business?”

The realities both positive and negative are coming to light, and we’ve pulled together a list of evaluation criteria (pros and cons if you will) to help you:

Pros

Businesses that have flipped head over heals for cloud hosting enjoy it because it offers the following:

Simplicity
Entrepreneurs have enough on their plates as it is. Solutions that can simplify any part of their business operations are a welcome addition. Hosting in the cloud can streamline and simplify actions such as “pass thru” billing to end-users. In some cases, cloud hosting providers can even bill your customers directly.

Cost Effectiveness
Cloud hosting has a low cost of entry. There are no capital expenses to bear and it doesn’t require “IT-like” personnel to join you staff. Again, for a startup that isn’t depending on their site as a main business conduit this is a very inexpensive way to get going.

Moves as quickly as your business
Cloud hosting is extremely fast to implement in most cases and claims to be infinitely scalable. It also supports multi-platform development environments.

Doesn’t have what you don’t need
If you’re a start-up with no critical data on your Web site or applications, the security level of cloud hosting may be plenty.

Cons

If you’re planning to run most of your business through your site, expect (or already experience) a large amount of traffic, and house critical data there (such as E-commerce) then cloud hosting may be an unsafe bet. Here’s why:

Performance
In a cloud environment, all sites are competing for the hardware resources. If multiple Web sites spike coincidentally, it can result in everyone slowing down. Additionally, with cloud you never really know how much performance is available to you. The claim is that you get unlimited scalability, however many of the clouds’ early adopters are finding that is not the case as their Web site resource requirements grow and over-exceed this elusive capacity.

Security
Cloud hosting is simply not the most secure environment. It just isn’t there yet. If you’re looking to achieve and maintain data privacy requirements for PCI compliance, HIPAA compliance, SOX, E-commerce, and so on, then cloud hosting is not the solution for you.

Redundancy
One of the misconceptions of cloud hosting is that it’s hosted “in the sky and not in a datacenter,” which is not true. Cloud hosting resides in a single datacenter. Recently a large hosting provider’s datacenter went down leaving a lot of cloud hosted Web sites in the dark. The site owners had a huge reality check and quickly learned of the single-points of failure within a cloud environment.

Cost
The cloud gives businesses a hands-free method to scale their hosting, however some problems can arise that are financially surprising. For starters, automatic scaling can make people extremely lazy. If you’re not paying attention to your usage, you just might get a huge surprise on your next bill. One thing that’s a rising concern is hackers running up their victims’ hosting bills. One method that’s being used is a simple low-level DDoS attack (Distributed Denial of Service), which won’t take your site down but will keep your server very busy. Since you pay for usage with cloud hosting, your costs can spin wildly out of control. So if you’re using cloud hosting, make sure to pay daily attention to your usage.

While cloud hosting may provide some distinct benefits and cost advantages for start-ups or non-critical Web sites, it isn’t well suited for mission-critical Web sites and SaaS applications. In particular, you cannot achieve compliance mandates of HIPAA, PCI, SOX, etc. when storing data in and serving applications from “the cloud.”

So if you’ve been drawn in by the low cost of entry and fast implementation of the cloud, heed the warning that every rose has it’s thorn… even soft, fluffy, cloud hosting ones.

Each of Demo’s events in the US and China foster productive, face to face interaction between investors, innovators, entrepreneurs, and influencers in the technology industry. Visionaries and veterans from seven technology sectors will be demonstrating and pitching their business ideas next month:

• Social Media
• Health and Life Science
• Clean and Sustaining
• Cloud Computing
• Enterprise Technologies
• Mobile Applications
• Consumer

FireHost provides enterprise-grade website (and web application) protection at prices tailored for to start-ups and SMBs, so we’d enjoy meeting each and every participant to discuss concerns or challenges you may be facing with an upcoming product/service launch. Members of our team will gladly help point your domain in the right direction, so make sure to seek us out at the event.

Spring Demo will take place March 21-23, 2010 in Palm Desert, CA. Thru March 7th, you can register to attend Demo Spring 2010 at a discounted rate. We’ll see you there.

DotBridge, an eCommerce SaaS provider fell prey to a DDoS onslaught. Someone wanted to attack one of their customers web-based business and take it offline, and without a secure hosting company at his back, they may have succeeded.

DotBridge subscribes to our secure, virtualized server service protected by 1) monitoring and response, 2) DoS/DDoS mitigation devices, and 3) a team of knowledgeable and reactive support engineers.

This combination of protection and response is standard for every client that subscribes to our service, and DotBridge is just one real-life example of how we work every day fighting on behalf of our valued customers.

Click Here to read DotBridge’s blogpost on the FireHost experience.

Before you stop reading and get back to your _____ (insert whatever project you had planned for today), wait! You have our assurance that this won’t be too jargon-y. We’ve deliberately stopped the heavy tech talk here, and we’ll translate all the application security risk verbiage into usable, understandable terms for your growing enterprise.

So here they are, without further ado, the top five application security risks for 2010:

1) Injection Attack

All Web applications that collect and transmit data (using forms for example) are susceptible to Injection Attacks. By sending specific commands through your application’s forms, hackers can modify various elements of the code. In extreme cases, injection attacks could allow attackers to penetrate a firewalled environment such as the network environment or database.

SQL injections like the ones that compromised Symantec and NASA this year dominate this attack category, but there are many additional varieties to which you could fall prey. Impress your IT staff by nodding knowingly if he mentions a Code Injection, Command Injection, or XPATH Injection around the water cooler.

Some of the best, protective measures (ask your security expert about these) for Injection Attacks include:

• Input Validation – cleanse your input data
• Human Verification ie CAPTCHA
• Restrictive Privileges when connecting applications to DBs and other proprietary systems
• Vague Error Messages give attackers little detail to go on and can help defray an onslaught

2) Cross Site Attack

Cross site scripting (XSS) attacks steal private information like cookies or session tokens that unsuspecting users have associated with a particular Web site. XSS exploits can also redirect victims to familiar “looking” Web content that has been devised by the attacker to steal personally identifiable information or install malware.

Hackers deliver the malicious XSS-laden content that makes these exploits possible in the form of JavaScript, HTML, Flash or any executable code format for that matter. Any Web application that compiles user-generated content without validating or encoding it first could fall prey to an XSS exploit. Social media hubs and blogs that allow users to post un-moderated comments are extremely susceptible to malicious XSS exploits (as was the case with Reddit’s Stored XSS Attack earlier this year).

Reflected XSS Exploits can be combined with phishing techniques to invade private information systems like email. Lance James and his team of experts reveal how (easily) they exploited an XSS vulnerability to win Strong Webmail’s $10,000 challenge in a quick two weeks.

Developers can help prevent XSS Attacks by deploying code that:

• Validates user input
• Does not give a site or page “full trust” simply because HTTPS is present
• Is tested. Test, test, test, and then test again before launching or introducing Web site enhancements

3) Cross Site Request Forgery – CSRF

CSRF exploits force unknowing users to carry out any number of malicious activities as long as the action is allowable within their permission set during an authenticated user session. If a Web application administrator’s credentials are compromised for example, CSRF could overtake the entire Web site.

Here’s a short list of some common (and catastrophic) CSRF capabilities:

• Force a user to post an insulting comment or malicious link on a blog or forum
• Change passwords, emails, login credentials effectively terminating access
• Submit a users email and sign up for a newsletter
• Make a purchase and use the hacker’s shipping address

CSRF capabilities are so powerful, you can understand why banks, financial brokers, bill pay services, and basically any institution that ties user credentials to money would need to approach each day with extreme caution and oversight. In a blog post this year, SECCOM Labs demonstrated how easily a CSRF banking scheme could be carried out.

Prohibiting users from submitting HTML code is one way help prevent CSRF. In many cases however, that’s not feasible because sites containing blogs and social media rely heavily on user-generated content. If your application has Social Web components, be aware that extremely effective, proprietary tools capable of disarming security features of even the most popular social vehicles like Twitter and Facebook, do exist.

Protect applications from CSRF Vulnerabilities by:

• Only accepting POST transactions
• Create unique token values for each request
• Re-authenticate based on the unique token or a password

4) Insecure Direct Object References

Insecure Direct Object Reference flaws allow attackers access to private directories (for example) by manipulating the URL to gain access. The primary risks with Insecure Direct Object References include data leakage and identity theft. Adobe Flash Player fell victim to this type of flaw last year, and the company has since addressed and patched the vulnerability.

Developers with expertise in securing applications can help prevent Insecure Direct Object References by:

• Creating a schema to protect and identify each object accessible by users
• Using indirect reference maps in code when referring to file names, URLs and DB keys
• Ensuring the session is authenticated to view the requested information or files and only grant access for that specific request when direct references are required

5) Broken Authentication and Session Management

Because all Web applications have (at least) an administrator account, each and every Web site is susceptible to authentication and session management flaws. All too often, fingers point toward typical Web site functions like logout, forgotten password retrieval, and account update procedures when problems with authentication and session management arise.

Custom applications have increased risk. In fact, many instances of authentication and session management flaws occur when code includes custom methods for validating user names and passwords and/or “home grown” techniques for handling cookies or session tokens. Session hijacking is a good example of the trouble that can crop up when authentication and session management flaws reside within your application.

Using widely accepted mechanisms for user authentication and session management is a good, preventative start. Additionally, you can take these steps to protect your application from these vulnerabilities.

• Use https:// encryption on every page with form fields and store credentials in encrypted format and limit browser caching so hitting the “back” button doesn’t grand unwanted parties access or visibility
• Make sure users can “Logout” from every page within the application and set short visitor sessions and force visitors to “time out” more often
• Limit unsuccessful login attempts and require users to verify old password credentials when establishing new ones

That’s your top five for 2010. From our company to yours – happy holidays and a hack-free New Year!

A version of this article was published in eCommerceDeveloper on 12/23/09.

Step 1 Announce and assess the breach
Step 2 Conduct a deeper investigation
Step 3 Notify affected individuals and organizations and begin remediation
Step 4 Re-launch
Step 5 Communicate the resolution publicly and to affected parties
Step 6 Take steps to remediate vulnerabilities and prevent a future breach

Today’s discussion takes a deeper look into step six, preventing cyber crime at small and medium sized businesses. The truth is that security measures in place at most SMBs are “easy pickings” for hackers, and there is a booming community of C2C (criminal to criminal) interactions focused solely on stealing customer data from SMBs that conduct business online. The same way you work every day to develop new, enticing products and easier ways for your customers to shop, cyber theft “shop owners” fuel this sub economy by devising faster, easier, and more effective methods by which to steal your company’s valuable data.

Preventing data leakage takes an ongoing, concerted effort, so it’s important that you take proactive control over your immediate environment. Here’s how:

Only run software you need. Thoroughly review all third party applications before introducing them to your environment. Only install third party applications if they are absolutely necessary. Remove all inactive programs at once. Paring down your list of installed programs alleviates your susceptibility to any known or future security threats they may pose.

Stop ignoring those updates. Install every software update, and do it quickly. Addressing security vulnerabilities is a top priority of software patches, so don’t get versions behind.

S = More Secure. Traditional FTP connections are insecure. Look for “SSH” and “SFTP” connections as they are in an encrypted format and are the minimum standard for eCommerce Web site administration.

Manage change. Terminate access credentials for former website administrators and employees immediately after (and sometimes before) they exit the company. Open logins create an extremely popular data leakage point. Implementing strict, consistent, change management protocols will reduce the chances your website is compromised by a password breach.

Check configurations and permissions. Regularly check that server configurations and file permissions are set correctly, and that there are no open permissions on directories.

Cheaply outsourced labor could cost you. Do you really want to outsource your livelihood to the lowest bidder? Websites require ongoing maintenance, bug fixes, and enhancements, and working closely with a local developer that you can meet in person might be the best solution in the long run.

Hire a hacker. Hire a hacker to try and penetrate your environment to find its vulnerabilities. I’m serious.

Achieve PCI Compliance if you conduct eCommerce. The payment Card Industry has devised a succinct list of requirements to which every organization must adhere if they accept credit cards as a form of payment.

Vulnerability audits. Have professionals perform regular vulnerability audits. We recommend monthly or quarterly (at minimum). Vulnerability audits can identify weak logins, data leakage from forms, SQL injection vulnerabilities, DDoS activity, spam relaying, order manipulation, admin control panel tampering, and more.

Hackers pose a real threat to SMBs, and they find value in stealing customer records, even from the “one-man shops” out there. Give these preventative measures the same priority as the way your site looks and works. Afterall, an ounce of prevention…well, you know the saying.

A version of this article was featured in VentureBeat on December 16, 2009.

For many ecommerce developers

For good reason. Determined hackers can compromise the most sophisticated network by combining simple, free tools with a little effort. In fact, the cyber-criminals behind the famed TJ Max and Heartland Payment Systems breaches used novice techniques like War Driving and SQL Injections to access the retailers’ networks.

If hackers can penetrate the network of a global enterprise, imagine what they can do to your clients’ small businesses. It’s a scary proposition, no doubt, but it shouldn’t keep you from going down that path when a project requires it.

Managing Credit Card Data

The first (and perhaps most important challenge) you’ll face with such an ecommerce development project is credit card collection, storage, and handling. One of the easiest and least risky options is to offload, via an API, the storage and handling of credit card numbers to a payment gateway that “hides” credit card data – Authorize.net, PayPal, BluePay or the like. If the credit card data is passed directly from the client (browser) to the gateway, without passing through your client’s web server, you’ll reduce your liability as the developer and help keep your client’s ecommerce site protected.

However, this solution many not work in all situations or for all clients for, at least, a few reasons.

1. Complicated recurring billing. If your client has a complicated recurring billing structure wherein payments vary in time, frequency, amount, or purpose; or if your client’s customers use purchase orders, your client may need to keep the raw credit card numbers available for the flexibility. Your client can still use tokens and offload the recurring billing to some credit-card-obscuring payment gateways as mentioned above, but again the need to process or manage customer data can be project specific.
2. Save on Interchange fees. All credit-card merchant-account providers charge an Interchange fee, and these fees can and do vary from provider to provider. So for some potential clients managing customer credit card data can be well worth the risk if doing so allows them to get a significantly better fee structure.
3. Offloading credit-card-storage is not enough. If credit card data passes through your client’s web server, whether the business stores that data or not, the system you develop needs to be PCI compliant. In short, whenever possible, choose a solution that never exposes your web server and your client’s ecommerce business to customer data. But when a project does call for credit data transfer or storage, you’ll need to build a Payment Card Industry compliant system that hackers cannot easily overcome.

Understanding the Requirement for PCI compliance

The Payment Card Industry (PCI) Security Standards Council has established twelve mandatory practices and precautions that must be taken when handling, processing, storing, and transmitting credit card data. The effort necessary to achieve PCI compliance will vary depending on the state of your development and hosting environment in which the ecommerce application will reside. While the specific details of becoming PCI compliant would merit a separate article, it is important to remember that when a project calls for “touching” credit card information, PCI compliance is a must. Your ecommerce client cannot do business without being compliant.

Cutting the Cost of PCI Compliance

PCI compliance can be expensive. For example, building a PCI compliant system from the ground up may require enlisting the help of a Qualified Security Assessor (QSA) to shape the scope of your PCI compliance undertaking; a number of audits; and monthly scans. All of this may cost a Level 3 merchant—those that process between 20,000–and–1,000,000 transactions each year—up to $155,000, according to the PCI DSS Compliance Blog .

The cost for smaller, Level 4 merchants, processing less than 20,000 transactions each year, varies greatly, but could cost $2,500 or more according to a payment gateway provider.

As a savvy developer, you may be able to help your client defray some of these costs.

1. Find a compliant host. Choose a web hosting environment that is already PCI compliant. If your client doesn’t need to own servers, consider a qualified, PCI compliant host.
2. Encourage processing in the client. The points above notwithstanding, choosing a solution that captures credit card data in the client, passing a token to your client’s web server, may be the best option.
3. Small merchants can do it themselves. Consider taking the “self assessment.” Level 2 and smaller merchants can self-assess rather than hiring a third-party to do the assessment, which can be a money saver.

PCI Compliance: You Need to Do It

Achieving PCI compliance is not only mandatory for all ecommerce merchants, it also assures that you and your client have taken all the steps necessary to provide a safe shopping experience for your client’s website users. Taking the steps to secure your client’s environment before a security breach may go a long way with Visa, Mastercard, the PCI Council, and forensic auditors who will be performing due diligence should disaster strike.

In fact, mitigating a security breach may be more challenging and expensive for non-compliant companies. Forrester Research estimates that mitigation will cost an average of $200 for each person/credit card account that is compromised.

This article was featured in eCommerce Developer on December 8, 2009.

Just like choke holds, Denial of Service attacks come in a variety of flavors – Flood Attacks, SYN Attacks, Smurf Attacks, Ping of Death Attacks, and the ultimate tap out producer Distributed Denial of Service Attacks (to name a few). Each method is designed to achieve a single goal – stifle the target website or online application.

Generally speaking, DoS/DDoS attacks accomplish this by directing a flood of “packets” (fake visitors, often robots) to your website at the same time. In simple terms, a denial of service attack takes up all your hosting environment’s available bandwidth and resources making it impossible for human traffic to reach your website or service.

DoS/DDoS Popularity and Severity on the Rise

Geared toward taking sites offline rather than stealing information or deceiving unknowing web surfers, DoS/DDoS attacks could be regarded as the cyber “crime of passion”. These attacks have effectively silenced religious and political groups from publicly publishing their opinions. High-profile organizations make headlines most often, but really any group with “offbeat” opinions could be the target of a DoS/DDoS onslaught.

Extortion is another popular motive behind DoS/DDoS attacks. Just recently, several Australian sports-betting websites lost millions in revenue over a busy weekend when criminals held their web services hostage for ransom money. Other commercial entities are starting to feel the effect of DoS/DDoS deployments too. Recruit Advantage and Bitbucket have both recently suffered losses due to prolonged outages, and it’s only a matter of time before mass-market retailers use attack-for-hire services to wreck holiday sales for the competition.

DoS/DDoS attacks can take a website or online service to it’s knees effectively and inexpensively, so they are growing to become a popular add on to botnet operators’ portfolios. For a mere $200/day, common Rent-a-DDoS operations can dish out botnet deployments ranging from 100Mbps to 100Gbps. Prolonged over several days, an attack of this magnitude could leave your start-up with a 5-digit invoice for bandwidth.

How to Prevent a DoS/DDoS Smackdown

Unlike other cyber crimes, this type of attack may not pose a direct threat to your clients’ PII (personally identifiable information). That doesn’t spare you the expense of lost sales, regaining public opinion, and technical resources however. In addition to those more “expected” costs, you’ll face charges for the bandwidth consumed during the exploit, and that bill alone could be enough to lead your startup business to early retirement.

The worst part is that if a cyber opponent has you in his or her sights, you’re going down for the count. There are no known prevention methods on record. DoS/DDoS attacks are like a jump spinning rear kick delivered in your blindspot. Scary, deadly stuff.

Don’t Take DoS/DDoS Exploits Lying Down

Since you can’t “eat healthy and excise” your way out of a DoS/DDoS attack, your best bet is to position your website or online application to mitigate the incident. Do this by monitoring your traffic and system state closely at all times. Knowing traffic trends gives you the best chance for getting your guard up FAST, so you have a chance at successfully mitigating the attack.

No matter what equipment or techniques are deployed to mitigate a DDoS/DoS attack, if your internet connection is smaller than the attack size – you’re down. For example, if you have a 100Mbps connection to the internet and the attack is 400Mbps (typical attack size), then the attack exceeds your available bandwidth by 4x saturating your entire network rendering services incapable of responding.

However, if you have enough bandwidth capacity available these techniques and devices are good allies to have when you’re immersed in the heat of a denial of service battle:

• Traffic Redirection – Deny all traffic, good and bad. This method is effective for getting your resource consumption under control and restoring order to your server, but it does not solve the problem of getting customers back in your virtual door.
• IP Filtering – Using routers or firewalls to filter traffic by geography for example can be an effective way to deny traffic from IPs based outside your service area – the US for example. Unfortunately, these devices can only sniff invalid IPs; they are not effective when spoofed or valid IPs are attacking.
• Intrusion Prevention Systems / Application Firewalls – These expensive and adaptable devices “learn” your traffic and can help deny access from malicious origins very effectively.
• DoS Mitigation Appliances – Specialized hardware and software made specifically to fight DoS attacks, DoS/DDoS mitigation appliances provide functionality similar to IPSs and WAFs. This appliance should sit on the very edge of your network (outside your firewall) so it’s taking the attack load off your network.
• Application Optimization – Expertly configured applications can help mitigate D0S/DDoS incidents or an influx of desirable traffic for that matter. Caching pages, for example, can help defray the impact of an attack.
• Load Balancing / Clustering – Servers can handle a substantial amount of traffic (both good and bad), so load balanced / clustered environments provide diversification and help prevent a bottleneck within a single piece of hardware.

If you’re attacked by a DoS/DDoS exploit, your network will consume bandwidth at a high rate for a sustained period of time, so review and understand your billing agreement for bandwidth overage. The alternative, limiting your bandwidth pipe will help prevent the unexpected bill, but again it doesn’t get you back online for business.

If you find yourself under attack by DoS/DDoS, use social platforms like Twitter and Facebook to communicate updates with your customers and other interested parties. Customers and prospective business partners appreciate being notified as soon as possible. Plus, being the first to report the attack lets you control the message and keeps any rumors at bay.