Website Security – How to Prevent Breaches...

Website Security Risks

In my experience as a Security Consultant, I`ve witnessed numerous cases when lack of proper web server support and maintenance resulted in a company`s website being hacked and exploited by attackers. Unfortunately, it is not a rare case when businesses invest into website development only or store all their websites (as well as mail servers) on a single dedicated machine without an established and safe backup process. Additionally, if a company lacks a comprehensive security strategy and prefers to overlook a well-known security principle of “better safe than sorry”, a website administrator may not be ready for real-time attacks, which might result in website being down and sensitive data compromised. 

Sure, skimping on server and website maintenance, regular security check-ups and trainings will save you money in the short run. However, in the long run it`ll save you more if you invest into a secure server hosting provider and proper software architecture instead.

A simple truth is, it doesn`t matter which framework you selected for website development a couple of years ago – Joomla, Wordpress, ASP .NET or Java. As the time flows, they all need to be patched for discovered vulnerabilities and require regular security check-ups. The frameworks provide a fast and cheap way to create great websites, so businesses (even the large brands such as Barnes & Noble, Citibank or Peugeot) continue using them despite of the security risks presented by possible vulnerabilities, but what`s important – they should specifically focus (and many large brands do) on proper website security and maintenance. 

Secure Software Development: Levels of Responsibility

Owning an internet website is similar to owning a car – you pay to get it work smoothly, ride fast, look impressive and help you earn money. Just like with a car, you need to properly maintain your website:

• Check for vendor notifications about updates and patches or withdraws (‘change oil & tires’)
• Buy an insurance to protect yourself against risks.

In a company, website security starts with a developer, who should write a secure code. Then, a Quality Assurance expert tests the code for bugs and possible vulnerabilities. Next, a DevOps expert`s task is to automate build processes, patch application and server software, monitor performance and log files. At the next stage, a Security expert should review the results with security in mind. Then, there is a CIO.

Any mid-size or large company would have a person responsible for IT, who`s typically known as the CIO (Chief Information Officer). At times, this role could be combined with the CTO and even the CEO. Anyway, this person is responsible for decisions on IT support and website operations, as well as for preventing website security breaches as it is the IT staff that should support the company`s servers. A part of this process is designing backups and recovery plans for after-the-incident cases. Continuing with the car analogy, it’s similar to ensuring your backup wheel is functional in case of emergency.

When your IT engineers (or your software development vendor) develop software, your CTO/CIO should define where to deploy it (on separate servers on Amazon or special containers vs. all sites in single server) and how it should operate and be protected. Otherwise, your should ask your internal (or vendor`s) security consultants to design and implement a proper security strategy.

Six Simple Tips to Ensure Website Security:

1. Educate your organization. Tell your employees that Security experts need to ensure that application is secure in code and design. Explain that DevOps experts are needed to implement monitoring and patch management as well as secure support of your server and software. Security often goes hand in hand with DevOps, Architecture assessment and Business analysis – and vice versa.
2. Don’t put all eggs in one basket. Do not store all websites on a single server. It is architecturally wrong and could negatively affect websites performance.
3. Patch your web apps and web server. Regardless of what framework you use, it`s important to remember that none is a safe haven for your website. All of them have some vulnerabilities, which will have to be addressed.
4. Engage DevOps and/or security service provider. Your websites need regular check-ups for the code and server security review & assessment. If you don`t have such experts internally, address security vendors and ask them to help you establish a comprehensive security strategy and develop a plan for regular security check-ups. 
5. If you`re outsourcing your website development, make sure that security is part of the deal. Discuss the security maintenance and check-up possibilities with your vendor. For long-term strategic partnerships, you might want to consider a shared responsibility model.
6. The greedy pay twice. Don’t skimp and don`t cut corners on security, especially so if you`re responsible for protecting sensitive data of your website users. Security is a significant part of quality service and customer satisfaction.