It’s been a long journey, but we’ve finally reached the end of our 8 part series on website security. It seems like only yesterday that we learned all websites are targets, there’s no such thing as perfect security, and that securing the platform our websites run on is an ongoing responsibility.
If you have made it this far, you have an overview of the most serious threats to web content management systems, security recommendations for Drupal, and how to securely update and administer WordPress.
Now it’s time to take a step back from the inner workings of websites. Let’s take a look at the other crucial part of security: The flesh-and-blood human beings you work with. Your people and processes can be a strong line of defense—or they can be the weakest link in your security chain.
Make Good Choices
Aaron Campbell gave an excellent talk at WordCamp Europe on website security. In it, he talks about choosing a good host, choosing good software, using a Password Manager and Two Factor Authentication. All very simple steps, but all of them are essential. In his talk he shared a story about how one of his friends had sites repeatedly hacked because they were using ‘free’ image editing software to update their sites—free software that happened to be malware that stole the usernames and passwords for his sites. Bad choice.
A Security Mindset Is Good for Business
There is a growing business opportunity for agencies who are good at security. A security mindset is a powerful differentiator. You can offer security in your proposals even when the client didn’t ask for it, and get a leg up on the competition.
Developing a security mindset also helps mitigate your agency’s liability in the case of a breach. It’s worth implementing proper security for liability reasons alone. Even if the client didn’t ask for it, even if they’re not paying for it. You’re securing your reputation, not just their data.
A Security Mindset Avoids Death Star Defense
Remember the Death Star from the first Star Wars? Or Death Star II in Return of the Jedi? Or Starkiller Base in the Force Awakens? All three were huge, impregnable space fortresses bristling with weaponry.
And all three were gently drifting space dust by the end of their respective movies. Their designers built one super complex, hard to crack surface layer of security. They couldn’t foresee every potential vulnerability in that layer of defense, though. Once it went down, there was nothing between the Rebel forces and the space station’s gooey, explodey center.
When your agency has a security mindset, you build in security at each layer, both physical and digital. That’s a strategy called “Defense in Depth.” Each layer of security takes time to break through, and time is the hacker’s enemy. Time gives you the opportunity to discover and mitigate whatever vulnerability is being exploited. Time to stop the hacker before they get to your thermal exhaust port.
Our CTO, David Strauss gave a great presentation on this topic at the O'Reilly Software Architecture Conference earlier this year:
The way your team connects with each other and with the internet is one layer of a Defense in Depth strategy. Keep your communication secure with these practices:
Always communicate over HTTPS. Secure HTTP used to be an extravagant add-on for institutions like banks and hospitals. Now, it’s a must-have. Thankfully, it’s cheaper and easier to implement than it used to be. If you’re on Pantheon, CloudFlare works great with the platform. Let’s Encrypt is a good free solution as well.
Always transfer files over SFTP. FTP had a good run, but it’s not secure. It’s possible to observe the FTP connection being made, and if a hacker gets those credentials, they have access to every file on your server.
Watch out for WiFi. Newer laptops are incredibly helpful in the way they search for familiar WiFi network to connect with. But that searching makes it possible for hackers to spoof a known network, fooling the computer and the user. And that’s not even mentioning the security risk of using public WiFi in coffee shops and hotels. If you must use public WiFi, use these tips to increase security.
Secure Code Management
Your code is an asset that is valuable to hackers, so securing it should be a priority. A secure code base is one where you know what code is introduced when, by whom.
Use Version Control Software. At the base level, securing code means having solid version control software. Git is the most popular open source solution, so it’s a good place to start. Use Git with a security mindset: encourage everyone who accesses the codebase to include descriptive commit messages. These messages should describe why each change was implemented, referring to ticket numbers or other descriptors.
Good code management gives you audit trails.
If you’re on Pantheon, you’ll find version control best practices baked into the service. We automate and facilitate secure development—which is good for your sites and our reputation.
Keep Your Keys Secure. Communicating with third-party services is increasingly the norm for modern websites. Don’t store those keys in your code! You wouldn’t do that with passwords and you shouldn’t do that with keys. Use a service like Lockr to keep them secure.
[Related Offering] Pantheon Website Security Services
Secure User Data
Once your security mindset encompasses your code and communication, extend it beyond your agency walls to your end users. People will trust the sites you build with their data, whether that trust is earned or not. Make sure your processes are set up to respect that trust.
Rethink Personally Identifiable Information (PII)
Most people immediately think of credit card numbers when they think of PII to protect. That can lead to a false sense of security. As banks get faster at detecting and shutting down fraud, credit cards are becoming less valuable on the black market (between $4-$8). Information that can be used to falsely bill for medical procedures or apply for a loan, on the other hand, is worth $300-$500. That information includes anything that can be used to identify a specific person:
Date of Birth
It’s a good idea to be proactive with your clients on identifying what PII they plan to collect. Listen for trigger words like “eCommerce,” “donations,” “registered users,” “API,” etc. Your agency needs to know what information will be collected and who will have access to it. As a general rule, it’s better to collect as little information as possible, and store only what is absolutely necessary.
Sanitize Data on Transfer
When a client has problems on the live site, developers transfer the code to a testing environment to recreate and solve the problem. It’s important to make sure that transfer does not include PII that could be transferred on unsecure networks or stored on a developer’s computer. To protect your client and your company, sanitize data on the way out. Drupal has a handy drush sql-sanitize tool that can help you do this for Drupal sites, and 10up's WP-Hammer is a great resource for WordPress.
Provide Ongoing Support and Updates
As discussed in part 3, security is a continual process of vigilance, not a one-time task. Catalog your sites and make sure you know which platform each runs on, who is responsible, who does the updating, and who does the updating if that person is on vacation.
If you’re running Drupal sites, make sure to have the resources ready to implement Wednesday updates as quickly as possible. For WordPress, stay current with the most recent updates.
Security updates are only beneficial if you implement them. So make sure you have a management plan in place.
You Are Your First Line of Defense
When hackers come sniffing for vulnerabilities, your processes and people are the first of your many layers of security. Keep a security mindset and let it inform the way you work, the way you store information, and the way you interact with clients. Finally, realize that security is a continuum, and an ongoing commitment. Keep pushing your clients to the “safer” side of the continuum through continual updates and improvement.
This is the 8th post in a series of articles on website security. Read the rest:
- Part 1: You Are A Target
- Part 2: Website Security Isn’t Binary
- Part 3: Security in the Platform Layer
- Part 4: The Application Layer
- Part 5: Securing Drupal
- Part 6: Updating WordPress Securely
- Part 7: Administering WordPress
- Part 8: Organization Processes