Best practices for keeping your website safe

NOTE: The SiteAdvisor Site Rating is McAfee's opinion of a website's reputation. The site rating is based on a variety of attributes that, in our judgment, provide the best indication of a site's reputation over time.
 
Precautions for site owners
The following list is not comprehensive and does not guarantee a Green site rating. The list provides guidance for site owners on best practices for preserving the reputation of their sites.


Hosting files for download
You are considered responsible for programs that can be downloaded from or via their sites. You should always perform simple checks, such as scanning a program with a reputable anti-virus scanner, before making the program available. One option is to upload the program to VirusTotal.com, a free service that scans the program and provides detection information from multiple anti-virus software vendors including McAfee (http://www.virustotal.com). You should also be cautious about malicious code that may not be detected by an anti-virus scanner until the program has been installed.

Removing potentially dangerous programs includes removing the links to the program and deleting the program from the site's public servers. Removing only the link may not be sufficient because users may still be able to access the program.
 

Email practices
You are responsible for what happens with information, including email addresses, submitted to the site. The site's security and data handling practices determine how well user information is protected. Poor data handling practices can cause users to receive unexpected email. Examples of poor handling practices include posting email addresses in a manner that allows them to be harvested by third parties, leaving the site vulnerable to hackers, and sharing data with partners who might be spammers or who might pass the information on to spammers.

The email test used by SiteAdvisor technology is an action result test. The action is providing a unique email address to forms found on the site; the result is counting the emails sent to that address and scoring those emails for spam-like characteristics. The email test does not attempt to identify the source of the spam; it simply notes that the unique email address provided only to that website is receiving spam.


Browser exploits
You should routinely monitor their web sites for browser exploits or content that attempts to control the user's computer in an unauthorized manner.

You should ensure that best practice change-control and content-management procedures are followed so that they will know when files change on their sites. You should be suspicious of any files that change outside of the accepted processes.

Other safe practices include routine security assessments of web sites. These assessments should be used to check and patch vulnerabilities in software, such as the operating system, web server, database, and application servers. A good place to start for security best practices is on the Open Web Application Security Project (http://www.owasp.org).


Online affiliations
Links to external domains are a powerful tool for you to connect to partners and customers. It will also improve the site's position in search engine results (Google, Yahoo, and so on). You should be aware that linking to other sites on the Internet can be seen as an endorsement or collaboration between the linked sites. Malicious site owners use these relationships to their advantage by creating their own safe sites or leveraging the links posted on third-party sites to drive traffic to a specific location. This technique can drive traffic to risky sites from a site that is otherwise benign. You should periodically review the sites they link to using SiteAdvisor or other sources.


Annoyances or grievances
Pop-up windows allow you to get a user's attention, and are often used as an advertising tool. Pop-up windows are often considered a nuisance by users. You should strictly limit the number of pop-up windows or windows that open when users visit the site.

Pop-up windows can also be used to deliver malicious code to site visitors or to drive traffic to malicious sites. When using certain advertising companies and tools, you may not be in full control of how many ads are shown or of the exact content of these ads. You should present to your users only content that is under your control or content from trusted third parties that have strict controls in place.

E-commerce or scam
When your site hosts promotions or links to promotions from other sites, you should pay attention to the product offering. For example, promotions can be considered misleading in situations where the description of the offer differs from the actual terms and conditions, the terms and conditions themselves are unclear or misleading, or where there is credible information that the claims are suspect or require very careful consideration. Some promotions are malicious; these include free offers that collect personal information and sell or use this data in ways other than what the user understood. Site owners should be mindful of the product being offered and how their users might interpret the promotion.

The following free tools are available from SiteAdvisor to help site owners understand site ratings and better protect their users.