Sherpa takes Web Security Seriously

Web security is something that we don’t talk about much. It’s not a sexy, buzzworthy topic and is one of those things that many of us take for granted.

2016 has been the year of the “data breach”. Hackers have been able to gain unauthorized access and extract data from some very well known companies: Yahoo, Adobe, LinkedIn, ADP, FBI.
While it may not be a “fun” topic, it’s certainly something that is very top of mind here at Sherpa Marketing. As one of Canada’s leading custom application development shops, we have a very real responsibility to protect our clients’ and our clients’ clients’ data. There is a fiduciary responsibility to employ best practices – and if that’s not enough, the threat of being sued is certainly enough to keep Sherpa on its toes.

The threats are VERY REAL. Cyber warfare and hacking are in the news daily, yet for some reason there seems to be general apathy among end users. More worrisome are the web developers that pay little attention to security best practices.

Whether it’s a coordinated military attack (North Korea, Iran, Syria, Russia) or a hacker group (Anonymous, Lizard Squad, LulzSec), at Sherpa we see regular scans launched on the websites of our customers.

/_uploads/images/contenthub-posts/08-2017/blog1.jpg

Typically, these attacks are DDOS (Domain Denial of Service) and SQL Injection attacks. DDOS attacks are intended to cripple your website by flooding it with traffic and making is unusable thus interfering with your ability to do business. A SQL Injection attack is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents [1](e.g. UN, PW) to the attacker).

We take your security seriously. It’s fundamental to our choice to largely avoid open source platforms and solutions. Sherpa has lost out on dozens of projects because we don’t use WordPress, Joomla and Drupal.

Why don’t we capitulate? One of the biggest reasons is security. Hackers are much more inclined to attack websites that share a common platform, for them it’s a numbers game. There are hundreds of thousands of websites built on WordPress whereas there are dozens built on Custodian. Find a WordPress vulnerability and exploit hundreds of sites. Find a Custodian vulnerability and…?

There is an ebb and flow in the battle to secure the web. One side struggles to protect you and the other fights to exploit you. It’s a fight that happens every second of every day.

Beyond our choice to use closed source, we also realize that there is a need to for constant vigilance. In the last three months Sherpa has:

  1.  Sent out most senior software developer to New York for a security summit where he learned the industry best practices to defend against cyber attacks
  2.  Hired an independent third party security expert to audit our internal and external networks
  3.  Hired an independent third party security expert to audit our systems and processes
  4.  Started to migrate our hosting of websites to Microsoft Canada Azure Cloud (good enough for the United States Department of Defence, good enough for you)
  5.  Collaborated with our biggest client on the settings for InCapsula to secure data on the web and in smartphone apps
  6.  Secure FTP only file transfer to our biggest client (no USB memory sticks)
  7.  Forcing SSL/TLS on all websites moving forward
  8.  Integrated industry best security scanning and web application testing tools as part of our standard development workflow

 

Web security something that we don’t talk about when Sherpa is differentiating itself from competitors, but maybe we should.

A hack can have detrimental immediate effects on your business, but also long-term effects in the form of lost trust with your customers. Even for websites not at risk of breaching privacy of their clients, your website is an important part of your business and it should be protected. It’s certainly a discussion worth having with your Web/Application development partner.

When I think of the work that our software team does every day, the quote from Ron Burgundy comes to mind:

“I'm proud of you fellas. You all kept your head on a swivel, and that's what you gotta do when you find yourself in a vicious cock fight.”


/_uploads/images/contenthub-posts/08-2017/blog2.jpg

Internet security is a bit like exercise, not everybody wants to do it, but everybody should.
Some suggested reading:

https://www.wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/

http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html


[1] https://en.wikipedia.org/wiki/SQL_injection

Related Posts