Table of Contents
‘Don’t like reading? Click to Listen’
TL;DR: This blog post ‘web privacy and accessibility guidelines’ is divided into 2 sections: the first section is about website security and the second section discusses the accessibility guidelines for website design according to W3C-WAI standards.
Security Guidelines for Website Development
Website security and privacy are some of the most important aspects of web application development that companies should not overlook in any case. Because security risks, when unattended, can cause irreparable harm to businesses either in the form of financial or reputational damages.
Digitization brings us numerous benefits and challenges along with it. The reason why, it’s high time that companies should consider accessibility, optimization, and other basic fundamentals especially when it comes to web security, and customer privacy. Nowadays, mobile and web applications are a crucial part of the business landscape. They not only get things done faster but simplify business operations and help companies achieve their goals in a matter of days.
According to sources, over 30,000 websites are hacked every day and it can happen to anyone. Business can not just go like, ‘hackers won’t hack our website, our business is small, even if they do there’s not much they can get out of it.’ Having this mindset is the root cause of the problem.
‘Security breaches don’t just happen to banks and large corporations,’ Kristina Balaam, Application Security Engineer for Shopify says. ‘I’ve heard so many developers say that they don’t need to worry about security issues because they’re not a target, but the truth is that you never really know if you are.‘ More than half of the companies around the globe experience cyberattacks, some of which are prepared to fight the dire consequences and some not so much.
Hence, having network security, operating system security, and web-based application security protocols in place is critical – collectively known as cybersecurity. Because every website on the world wide web is at risk! The sooner you realize this, the better. Intruders will not stop hacking, this means, you should not stop improving your web security standards either.
Transition to Remote work and Cyber-Threats
Our entire business ecosystem is always in a constant change of evolution including the technological landscape. If we shed some light on the events of 2020, we would know, the global pandemic greatly impacted the global economy. Companies were forced to shift their workforce to remote environments in order to comply with the lockdown policies and to contain the spread of the virus.
Even though remote work gave companies an opportunity to continue their business operations, but it also led to some serious cybersecurity concerns. Some might even call it a cyber pandemic. Because the inevitable and unplanned transition to remote work was totally new to some businesses, if not all.
So to avoid any complications and to ensure the progression of (only) business operations companies side-stepped the security protocols altogether either intentionally or unintentionally which lead to risks and system vulnerabilities.
The most popular cyberattack reported by the U.S. Cyber firm FireEye in 2020, which was breached by nation-state hackers. According to The Wall Street Journal, ‘the cybersecurity company said the attack compromised its software tools used to test the defenses of its thousands of customers.’
The bottom line is that remote work is not going anywhere, anytime soon. The best companies can do is to re-strategize and reassess their security measures to ensure the safety of their networks and infrastructures.
Popular Types of Website Security Attacks
A data breach happens when an unauthorized person (without permission) accesses confidential, sensitive, or protected data for personal gains. They are usually caused by software misconfiguration, accidental or malicious insiders/ outsiders, malware attacks, Phishing, Brute Force Attacks , or even loss of hardware et al.
According to sources, there were approximately 944 recorded data breaches in the first 6 months of 2018 alone and nearly 2,000 in 2017. The number is quite alarming.
Such bad actors can exploit even the minor vulunerability in the system either through the internet, emails, online services, or Bluetooth – resulting in a massive data breach. From large businesses to individuals, no one is protected from a data breach.
As the name suggests, intruders can inject malicious code into the system such as in the text input field for credit card information where the SQL select statement is used known as an SQL Injection attack – a web application security vulnerability.
The attacker uses the application code to access and corrupt databases which allows them to create, update, alter, read or delete data stored in the back-end database. Different kinds of code injection include:
- Shell injection
- Operating system command attacks
- Script injection
- Dynamic evaluation attacks
- Cross-Site Scripting or XSS
This security attack takes place when the authentication is broken meaning poorly implemented. Attacks through broken authentication are the most common kind which includes account takeovers – this enable them to compromise passwords, sensitive user account information, steal identities and compromise keys or session tokens. Common reasons for this kind of attack include:
- Predictable or easy login credentials such as the password is password.
- Unguarded user credentials.
- Exposed session IDs in the URL leading to URL rewriting.
- Session fixation attacks as a result of vulnerable sessions IDs.
- Unencrypted connections, so on and so forth.
DDoS (Distributed Denial of Service) Attack
It is considered one of the most powerful web attacks. Using DDoS attacks hackers can bring down and control entire websites or other online services and flood them with spammy traffic, more than the server can take. Their main target is to make the website or the service unusable. DDoS attacks can co-relate with ransomware – the hacker can demand a ransom from the victim to restore their control over the website.
In 2016, Dyn – a popular DNS company was targeted with a powerful DDoS attack that took down its most popular websites and services, including Netflix, PayPal, Amazon, Reddit, CNN, Spotify, GitHub, and others.
Search engine spams such as web page spams, paid backlinks spams, malware infection, insecure direct object references, and cross-site request forgery are some other types of security threats that companies should be wary of.
Tips to Keep your Company’s Website Secure
Below are some of the ways that companies can implement to solve website issues and to make sure that their website is risk-free:
- Stay on top of your security risks through regular system penetration testing. You can ask your company’s legal ethical hacker to attack your website and in return, you can identify vulnerabilities and safeguard weak entry points.
- Use HTTPS protocol – a security protocol, if you aren’t already. It makes your website look trustworthy. Moreover, it improves the search engine ranking as well.
- Learn about different vulnerability attacks to stay on top of things, and how to handle them.
- Regularly maintain and update your software using the latest tools and technologies because outdated systems are more prone to attacks.
- Always make sure to have a data backup so that if an unpredictable attack happens, you won’t have to start from zero.
- Choose a safe and secure web hosting platform, only go for the popular ones such as Go Daddy et al. You can even use web app security platforms such as Patchstack, to monitor the risks. Even WordPress offers many security plugins to choose from.
- Hire dedicated security experts who know the ins and outs of cybersecurity practices.
- Use strong passwords for your databases and back-end panel that houses all the sensitive customer data, better use 2-factor authentication for maximum security.
- Only let the authorized users access the main backend or admin panel.
- Use SSL encryption for sensitive web pages such as login, payment, etc.
- Restrict external file uploads.
Accessibility Guidelines for Developing a Website
Now that we have talked about website security, it’s time to skim through accessibility guidelines for developing a website. But first, let me ask you this, ‘Do you know why Netflix uses closed captioning or normally known as subtitles – what is the reason behind it?’ The entire idea of using subtitles is to reach a broader audience. It’s not only for the people who don’t understand any particular language but it’s also for those who can not hear! Yes.
This concept of making people feel included, and ‘equal information access for all’ is what accessibility and inclusion are all about. Understanding the needs of your target audience, website visitors with disabilities or impairments, and users outside of your target audience is very important for building accessible experiences.
People with disabilities should have the same level of access to your website as others, because if your website does not equally cater to everyone, and I mean everyone, then it probably shouldn’t be out there.
Accessibility Stats in the USA
According to studies by the Census Bureau almost 56 million Americans have some type of disability, the breakdown of impairments that limit accessbility is as follows:
- 8.2% have difficulty lifting or grasping that can impact the use of a mouse or keyboard.
- 6.3% have an emotional impairment, cognitive, and mental.
- 3.3 % have a vision impairment such as color blindness, and blindness – they may depend on a magnifier or a screen reader.
- 3.1% have hearing impairments and may rely on transcripts and captions for audio and video media.
Now, these are the stats from the US alone, just imagine the total number when combined with other global countries. Therefore, accessibility should be integrated with every element of the overall design that makes up a complete application or a website such as features, interfaces et al.
Google is one of the most popular examples of accessible design. ‘We have to be proactive to make sure that our designs reach a broad audience of people, not just people who look and act like us.’ says Nathan Curtis, a design system advocate at Google.
W3C-WAI at a Glance
The World Wide web consortium – W3C launched the Web Accessibility Initiative (WAI) in 1997 to work on guidelines, technical reports, educational materials, and other documents that relate to the several different components of web accessibility. In the second section of this blog, I will discuss some of W3C – WAI’s universally accepted accessibility guidelines. So let’s get started:
- Provide sufficient color contrast ratio between foreground and background as it is important for enhancing readability especially for those with low visual acuity.
- Don’t just use color alone to convey the messages – use symbols (*) and labels to indicate required text fields.
- Use interactivity on links and buttons to make them pop out such as mouse hovers et al – makes them easier to identify.
- Navigating should be consistent across all web pages in terms of their naming, placements, and styling. Provide a site map as an alternative navigation option. Provide clear headings as orientation cues for guiding visitors through the website.
- Make sure all the form fields have labels– from left to right. Also, use less negative spacing in forms.
- Provide error and success messages for the form.
- Use white space to reduce the clutter – a clutter-free website is easier to scan and navigate.
- Optimize your web design for easy access on different types of screens such as desktops, iPads, and mobile devices; also known as responsive design.
- Provide alternatives to visuals and text such as upload audio recordings of the blog posts for people with visual impairments.
- If you have a product video that’s on autoplay; provide visible buttons to control the video such as to turn the auto play off.
The Ultimate Question – Web Privacy and Accessibility Guidelines
How would you address the issues of privacy and accessibility when developing a website?
To address the security and privacy issues during website development developers should make sure to follow all the trends; such as AI, ML, offensive security measures, and others – integrate them into the system to the best of their abilities.
Moreover, they should know about the programming technique of Query Parameterisation to prevent SQL code injection attacks. Through contextual output encoding or escaping, developers can prevent XSS from taking place.
Additionally, they should learn about the W3C’s content security policy – offers a standard framework to provide browser-based protection. 2FA and strong password management are two most important security measures that can prevent cyber attacks. As far as accessibility is concerned when developing a website; the best way forward is to learn about the w3C’s website accessibility initiative. Period.