Web apps are not web sites. A site is an informative place (or "site"), publicly accessible on the internet, that provides info about your business, staff, locations, offers and so on. A web app is less public, if at all, and provides core functionality for the business processes of your company, amongst your staff and/or between your staff and clients. An unsecured web site may result in defaced pages and a bit of shame, because it is supposed the web site is not storing sensitive data, since its purpose is to make them public in the first place.

How about an insecure web app? Credit card numbers of your buyers, private data of your partners and contacts, sensitive inside documents, logins and PASSWORDS!, bank account data, trade secrets, the list of dreads keeps growing...

This should be, in short, the considerable difference between a web site and a web app. Now let's focus on some of the best practices needed to secure your company's web apps. Does "some" sounds a bit, err, incomplete? It does, because this is just a blog post and not an exhaustive compilation. And because the 100% security is a matter of heavens and not of geolocation. In other words: no matter how hard you're gonna secure your web apps, there will come a time when a new hacking method will finally break in to your precious private data. What to do then?

Always think a step ahead of the hacking wave chasing you. Think different, get smart! These are not just slogans slapped beneath renown brands, these are keywords to securing your business in the web world of both open opportunities and perils.

Most common targets for the vectors of attack as we speak are: the Windows operating system, the Outlook mail client, the MSIE browser, the Acrobat PDF reader, and the Flash plugins. Use more of these and you're stepping back behind into the common crowd of interest for roaming Chinese-based vultures.

Why those particular aforementioned applications? Possibly because they're so popular, would say an economist. Probably they're having some quite old unpatched holes, may add a programmer. Who cares? You need to secure your web apps in YOUR business, so let us leave the philosophical matters for the press pundits. On a side note, you may want to read why most resistance to this kind of "Aurora" hack attacks is futile.

Well, resistance might be futile but how about an evasion maneuver?

Consider using only Linux/Unix machines to connect to your critical networks. Never forget that the lowest denominator sets the security level. You can have 99 Linux client computers and one single Windows connecting to the same servers network. This means that when (not if!) the Windows machine gets compromised, then your entire network gets exposed.

Above went our tip on the operating system alternative. Follows the Adobe Acrobat PDF reader option. Since you've got your staff on Linux, no need to use Acrobat anylonger. Try the KPDF, an embedded KDE (Linux desktop environment) PDF viewer. For those under Gnome there should be other options. Less imports which PDF reader you're using, just veer away from the most popular that is already in the crosshairs of the hacker attacks.

Comes the office part of things: Word documents, Excel spreadsheets, Power Point files, etc. The best option here would be Google Apps, with their Google Docs. Oh yeah, one may counter, but Google is already a target, read the darn article you're linking to!

Well, Google was attacked in December, reported the breach in January and fixed it before February. Give me a similar reactive example with Google's competition, please!

Privacy? So far you're running a legit business, you have nothing to fear about. Your data are safe and sound on Google servers. By the way, the "gates" of attack against Google were inside the years old unpatched MSIE6 and similar Windows client machines allowing hackers to steal logins and Gmail passwords.

More to come in another blog. Gotta fix some Joomla modules merging, this time a typical web site matter...

In conclusion: you may have noticed that file formats are there to stay. All .doc and .xls and .ppt and .pps and .pdf and ...so on, all of them are not subject to change. But the applications maneuvering them are! Both on the client side as on the server side.