How to Ensure your Website STAYS Secure!
Taking care of your website's security once and then never revisiting it again is like locking the door to your house, and then building an entire new half of your house and leaving that side open to the air. It sounds ridiculous, but that's exactly what you're doing if you fail to stay on top of security.
It's also critical to audit your security periodically to see if any new flaws have developed. This is especially important if you do custom code, because you won't get any official security notice about that.
There are two basic ways to check your site security:
- Doing penetration testing—This involves using software to try to break into the site. There are automated setups that try things like a cross-site scripting attack or an SQL injection attack. They will spam the login form, put things in the queries string to try to get in, etc. The idea is to try some brute force stuff to see if your site is vulnerable. These automated setups can be useful, but they tend to only catch the really simplistic stuff. You can hire a service to run these types of tests regularly and send you reports if anything gets flagged.
- Having a real live person do an audit—This can be done as a peer review, but it's better to get a senior developer who specializes in security to review the code and the functionality. They know vectors that are likely areas of attack, and they will try specific targeted attacks to ferret out flaws and vulnerabilities.
Most people do #1 on an ongoing basis. Fewer people follow up with #2, though, because it costs a fair bit of money and can end up seeming pointless (if you get a report that says your site is fine, it almost seems like the specialist didn't do anything). But it's important to do it so you can be assured everything really is fine. Think of it like an insurance policy: you're paying for peace of mind. Because if a breach does happen, it could destroy your business.
You should also track which sections of code got reviewed and when, so that you know when things are up to date. How often you need to test depends on a number of things, including how popular your site is and how likely it is to be a target of attack. If you don't have tons of credit card and personal information, and you're not a super popular site, maybe you do it once a year. If you're a huge eCommerce company, you might have an ongoing audit that goes constantly. Large companies have entire security teams doing stuff like this full time.
Obviously, you have to do your due diligence so you meet compliance. Beyond that, you have to do a risk/reward analysis. Does the cost of security outweigh the cost of a potential breach? Your site could be awesomely secure if you had a three-person security team dedicated to that 24/7. But if you're a company that makes $10 million a year, and a three-person team costs you $500,000, that might not be the best use of your resources. On the other hand, if you stand to lose a billion dollars through a security breach, the cost of a three-person team is very reasonable.
TL;DR: You need to care about security enough to monitor it continually.