Some conversations are easy… some are difficult. Some are harmonious and some are laborious. But when it comes to website security, the conversation is confusing.

Every organisation agrees, in theory, that their websites need to be secure. But in practice, there is resistance to investing enough time and budget. Reasons for neglecting security include misconceptions surrounding Web Application security.

Below I’ve outlined some of the most common myths and misconceptions that can often put your website at serious security risks.

My website is not the target of an attack because it is small and I run a small business.

An average small business website is attacked 44 times per day. In addition, a low profile website is a nice playground for hackers to try out new tools and techniques. Hackers often use automated tools to find various vulnerable websites and don’t discriminate when it comes to the size of the target. Any web application, even if it is not itself a target, may be of interest to attackers. Web applications with lax security are easy pickings for hackers and can be subject to a mass or targeted cyber attack.

We have not been attacked in years so, there’s nothing to worry about

Just because you can’t see an attack, it doesn’t mean it isn’t happening.

According to one of the studies, at any given moment, 18.7 million sites around the world are infected by some form of malware. Automated web attacks that fly under the radar are damaging businesses at a large scale. Some bots are dangerously adept at operating under the guise of a legitimate user.

I have thoroughly tested my website and have fixed most of the known bugs. My site is completely secured now

Security is also about constant monitoring and testing the complete stack of your application.

In the latest White Hat study, the organisations that conducted security testing had, on average, as many as 10 vulnerabilities and only 50% of them got fixed. Modern websites are constantly changing. Every new line of code has the potential to introduce a new security issue.

Good security practices include having ‘visibility’ and necessary ‘verifications’ of the traffic patterns and the security posture of your website. Many modern Web monitoring tools, like Google Alerts, provide affordable, easy to use visibility and verification strategies.

The ability to measure web application security is critical for any business having a web facing asset. Attack metrics like ill-reputed data (IP, tracking IDs), attacks by countries and IPs, most attacked URLs, etc. need to be measured. Such data provide context, awareness and actionable response about current and emerging threats.