CTA-High-Five-narrow-Colour
Crystal Lee
Author Crystal Lee
Drupal Wordsmith
Posted in Software & Development , Video , High Five
June 12, 2018
read
Back to blog

How to Ensure your Website STAYS Secure!

Taking care of your website's security once and then never revisiting it again is like locking the door to your house, and then building an entire new half of your house and leaving that side open to the air. It sounds ridiculous, but that's exactly what you're doing if you fail to stay on top of security.

 

It's also critical to audit your security periodically to see if any new flaws have developed. This is especially important if you do custom code, because you won't get any official security notice about that.

There are two basic ways to check your site security:

  1. Doing penetration testing—This involves using software to try to break into the site. There are automated setups that try things like a cross-site scripting attack or an SQL injection attack. They will spam the login form, put things in the queries string to try to get in, etc. The idea is to try some brute force stuff to see if your site is vulnerable. These automated setups can be useful, but they tend to only catch the really simplistic stuff. You can hire a service to run these types of tests regularly and send you reports if anything gets flagged.

  2. Having a real live person do an audit—This can be done as a peer review, but it's better to get a senior developer who specializes in security to review the code and the functionality. They know vectors that are likely areas of attack, and they will try specific targeted attacks to ferret out flaws and vulnerabilities.

Most people do #1 on an ongoing basis. Fewer people follow up with #2, though, because it costs a fair bit of money and can end up seeming pointless (if you get a report that says your site is fine, it almost seems like the specialist didn't do anything). But it's important to do it so you can be assured everything really is fine. Think of it like an insurance policy: you're paying for peace of mind. Because if a breach does happen, it could destroy your business.

You should also track which sections of code got reviewed and when, so that you know when things are up to date. How often you need to test depends on a number of things, including how popular your site is and how likely it is to be a target of attack. If you don't have tons of credit card and personal information, and you're not a super popular site, maybe you do it once a year. If you're a huge eCommerce company, you might have an ongoing audit that goes constantly. Large companies have entire security teams doing stuff like this full time.

Obviously, you have to do your due diligence so you meet compliance. Beyond that, you have to do a risk/reward analysis. Does the cost of security outweigh the cost of a potential breach? Your site could be awesomely secure if you had a three-person security team dedicated to that 24/7. But if you're a company that makes $10 million a year, and a three-person team costs you $500,000, that might not be the best use of your resources. On the other hand, if you stand to lose a billion dollars through a security breach, the cost of a three-person team is very reasonable.

TL;DR: You need to care about security enough to monitor it continually.

Digital Ecommerce Platform

How to Protect Your Site from Being Hacked

To say the issue of security is as old as the digital age itself would be a drastic understatement. The need for security is as old as civilization. ...
Keep Reading »

How Secure is Drupal — is it as Good as They Say it is?

Drupal, by online software standards, is a very secure content management system (CMS). It’s arguably the most secure of the big three open source ...
Keep Reading »

How to Ensure Your Website is Stable

Stability means more than just keeping your website up and running. It also means removing anything that could make it more prone to failure in the ...
Keep Reading »
Get Free Widget

Fields marked with * are required.

×
×