It’s launch day for your company’s new website. Your designer has tweaked his last pixel, your developer has pushed her final code update and the marketing director has given the thumbs up. But there’s a nagging doubt at the back of your mind: is it going to be secure?
Web security is a broad and mind-boggling topic but, as with many things, dealing with the top 20 per cent of issues will help safeguard you against 80 per cent of the risks.
Here are some things you need to cover off to help ensure your site stays safe.
Would you tell a random stranger in a coffee shop the password for your company site? By logging in on that coffee shop’s free wi-fi without SSL, you may as well.
Having SSL (secure sockets layer) is the standard for encrypting links between a web server and a browser. If your site has any features protected by login, or deals with private or personally identifiable data, implementing SSL is a must.
That little padlock in your browser’s address bar looks like a simple thing, and it is simple to implement, but it makes an enormous difference to the security of data moving between user devices and your system. As an extra bonus, secure sites receive higher search rankings on Google.
While most mainstream web platforms and content management systems (CMS) have a base level of security built in, they can be quickly compromised by poorly written or misconfigured plugins.
Plugins are pre-made modules that add extra functionality to your site, such as special widgets, e-commerce features or pop-up messages, among thousands of others.
Even assuming the plugin author is well intentioned – which is not always the case – trusting your business and your customers’ data to community code is a risk that needs to be weighed carefully.
Commercial content management systems such as Sitecore, while certainly adding cost to your web presence over open-source alternatives, bring peace of mind that all plugins have been quality assured and examined for malicious code, backdoors and vulnerabilities. The same applies to updates.
In any case, keep your plugin use to a minimum, use only highly rated plugins from official marketplaces, and keep your CMS patched. It’s not enough to not be the easiest target – automated attacks can probe thousands of potential targets within hours of a new vulnerability being discovered. They can be dressed and dining on your data while you’re still in your pyjamas having toast.
If your site is compromised, you will quickly learn the benefit of encryption. You may not experience a breach as serious as Sony’s 2011 PlayStation Network hack, which cost the company $171 million, but you will certainly land in the press if your data protection is found wanting.
There is no excuse for storing passwords in plain text. If your site can remind a user of their existing password, rather than only being able to reset it, have a stern word with your developer. Reminders are not possible with correctly implemented, industry-standard encryption.
Remember that as the custodian of your customers’ data, you have a responsibility to protect it. I hope this article will help you to confidently raise security questions with your developer.
Share this Page
James Radvan is the General Manager at Speedwell, one of Australia’s largest and most experienced web and mobile studios. While he now calls Brisbane home, his software career has taken him to the US, UK and Sweden, in everything from startups to multinationals.
At his happiest building things, he is a coder, project manager, musician, maker, painter and inveterate tinkerer. Having started his own son and daughter on the path to being code ninjas, James can be found on Saturdays mentoring at Chermside CoderDojo.