Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
Is Your Site or Network at Risk?
"Web security" is relative and has two components, one internal and one public. Your relative security is high if you have few network resources of financial value, your company and site aren't controversial in any way, your network is set up with tight permissions, your web server is patched up to date with all settings done correctly, your applications on the web server are all patched and updated, and your web site code is done to high standards.
Your web security is relatively lower if your company has financial assets like credit card or identity information, if your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department. All IT departments are budget challenged and tight staffing often creates deferred maintenance issues that play into the hands of any who want to challenge your web security.
Web Server Security
The world's most secure web server is the one that is turned off. Simple, bare-bones web servers that have few open ports and few services on those ports are the next best thing. This just isn't an option for most companies. Powerful and flexible applications are required to run complex sites and these are naturally more subject to web security issues.
Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry to watch.
If your system has been correctly configured and your IT staff has been very punctual about applying security patches and updates your risks are mitigated. Then there is the matter of the applications you are running. These too require frequent updates. And last there is the web site code itself.
Your Greatest Web Security Risks: Known or Unknown?
Your site is 1,000 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many known exploits and the complexity of web servers and web sites is so great that the chances are good that one of the known vulnerabilities will be present and allow an attacker access to your site.
The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one is nearly zero - unless you have network assets of truly great value.
If you don't attract the attention of a very dedicated, well financed attack, then your primary concern should be to eliminate your known vulnerabilities so that a quick look would reveal no easy entry using known vulnerabilities.
Web Security Defense Strategy
There are two roads to accomplish excellent security. On one you would assign all of the resources needed to maintain constant alert to new security issues. You would ensure that all patches and updates are done at once, have all of your existing applications reviewed for correct security, ensure that only security knowledgeable programmers do work on your site and have their work checked carefully by security professionals. You would also maintain a tight firewall, antivirus protection and run IPS/IDS.
Your other option: use a web scanning solution to test your existing equipment, applications and web site code to see if a KNOWN vulnerability actually exists. While firewalls, antivirus and IPS/IDS are all worthwhile, it is simple logic to also lock the front door. It is far more effective to repair a half dozen actual risks than it is to leave them in place and try to build higher and higher walls around them. Network and web site vulnerability scanning is the most efficient security investment of all.
If one had to walk just one of these roads, diligent wall building or vulnerability testing, it has been seen that web scanning will actually produce a higher level of web security on a dollar for dollar basis. This is proven by the number of well defended web sites which get hacked every month, and the much lower number of properly scanned web sites which have been compromised.