A Secure State of Mind
I recently attended php[tek], a developer conference out in Chicago, to broaden my horizons and gain some new knowledge from some of the best people in the industry.
There were several great sessions I sat in on, ranging from “How to be a Great Developer” to “Recursion - Making Big Problems Smaller.” But one in particular stood out – “Security is not a Feature; It's a State of Mind.”
One quick note: I've been at Visionary for over six years. Our core library provides a good foundation for developers, notably by filtering input and escaping output. But this is only one area that sets up a secure system.
What exactly is security, though? Security is an ongoing process. It is a paranoid way of thinking. It is the acknowledgment that you will be hacked at some point.
And it’s also everybody’s problem. Everyone involved in the process of creating and maintaining a site – from the hosting company, to the programmer and front-end developer writing code, to you, the user (is your browser up-to-date?).
Project managers, also fall into that list, and at Visionary, they take that responsibility seriously. Project managers need to specify necessary validations on forms during the build process. The more strict a validation is on a form field, the more we know what to expect and can filter out hacking attempts.
Have you ever been annoyed by not knowing which of your login credentials is wrong? It's that way for your protection. Any bit of information gives the attacker that much closer to getting in.
Also don't forget that sometimes your site's content may not have much sensitive data. But on how many sites do you use the same password as your admin password?
So besides encrypting that password, what else are we doing at Visionary to keep your site and our systems secure?
After each session at the conference, I asked myself how could Visionary's employees or clients benefit from the things I had learned. From the security session, I identified two items that we would benefit from by addressing.
The first is to protect sites from brute force attacks, which is the ability to sign on to a site after several (hopefully millions of) failed attempts, likely through the use of a robot or program.
This can be deterred or slowed down by implementing a restriction on the number of failed attempts from an IP and/or user within a set amount of time. After another set period of time, attempts to log in could be made again.
The second item is to be prepared for when the inevitable happens. It’s not paranoia if they are out to get you. By testing our "we got hacked" plan, we'll be able to get a client’s site back up and running sooner.
By being secure from the start and better preparing for the inevitable, the time involved lessens itself in the long run. When we’re restoring a site, we’ll know how to do it effortlessly, getting your site back to normal so you can use it for your business and getting us back to doing what we do best, being visionaries.
Interested in finding out how you can make your site more secure? Contact us for a consultation! Send an email to email@example.com, or gives us a ring at (515) 369-3545, option 2. We’re also on Twitter at: twitter.com/visionaryia.