Web security is something that we don’t
talk about much. It’s not a sexy, buzzworthy topic and is one of those things
that many of us take for granted.
2016 has been the year of the “data breach”. Hackers have been able
to gain unauthorized access and extract data from some very well known
companies: Yahoo, Adobe, LinkedIn, ADP, FBI.
While it may not be a “fun” topic, it’s
certainly something that is very top of mind here at Sherpa Marketing. As one
of Canada’s leading custom application development shops, we have a very real
responsibility to protect our clients’ and our clients’ clients’ data. There is
a fiduciary responsibility to employ best practices – and if that’s not enough,
the threat of being sued is certainly enough to keep Sherpa on its toes.
The threats are VERY REAL. Cyber warfare
and hacking are in the news daily, yet for some reason there seems to be
general apathy among end users. More worrisome are the web developers that pay
little attention to security best practices.
Whether it’s a coordinated military attack
(North Korea, Iran, Syria, Russia) or a hacker group (Anonymous, Lizard Squad,
LulzSec), at Sherpa we see regular scans
launched on the websites of our customers.
Typically, these attacks are DDOS (Domain
Denial of Service) and SQL Injection attacks. DDOS attacks are intended to
cripple your website by flooding it with traffic and making is unusable thus
interfering with your ability to do business. A SQL Injection attack is a code
injection technique, used to attack data-driven applications, in which
nefarious SQL statements are inserted into an entry field for execution (e.g.
to dump the database contents [1](e.g.
UN, PW) to the attacker).
We take your security seriously. It’s
fundamental to our choice to largely avoid open source platforms and solutions.
Sherpa has lost out on dozens of projects because we don’t use WordPress,
Joomla and Drupal.
Why don’t we capitulate? One of the biggest reasons is
security. Hackers are much more inclined to attack websites that share a common
platform, for them it’s a numbers game. There are hundreds of thousands of
websites built on WordPress whereas there are dozens built on Custodian. Find a
WordPress vulnerability and exploit hundreds of sites. Find a Custodian
vulnerability and…?
There is an ebb and flow in the battle to secure
the web. One side struggles to protect you and the other fights to exploit you.
It’s a fight that happens every second of every day.
Beyond our choice to use closed source, we
also realize that there is a need to for constant vigilance. In the last three
months Sherpa has:
- Sent out most senior software developer to New York for a security summit where he learned the industry best practices to defend against cyber attacks
- Hired an independent third party security expert to audit our internal and external networks
- Hired an independent third party security expert to audit our systems and processes
- Started to migrate our hosting of websites to Microsoft Canada Azure Cloud (good enough for the United States Department of Defence, good enough for you)
- Collaborated with our biggest client on the settings for InCapsula to secure data on the web and in smartphone apps
- Secure FTP only file transfer to our biggest client (no USB memory sticks)
- Forcing SSL/TLS on all websites moving forward
- Integrated industry best security scanning and web application testing tools as part of our standard development workflow
Web security something that we don’t talk
about when Sherpa is differentiating itself from competitors, but maybe we
should.
A hack can have detrimental immediate effects on your business, but
also long-term effects in the form of lost trust with your customers. Even for
websites not at risk of breaching privacy of their clients, your website is an
important part of your business and it should be protected. It’s certainly a discussion
worth having with your Web/Application development partner.
When I think of the work that our software
team does every day, the quote from Ron Burgundy comes to mind:
“I'm
proud of you fellas. You all kept your head on a swivel, and that's what you
gotta do when you find yourself in a vicious cock fight.”
Internet security is a bit like exercise,
not everybody wants to do it, but everybody should.
Some suggested reading:
https://www.wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/
http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html
[1] https://en.wikipedia.org/wiki/SQL_injection