This year we didn't hear too much in the news about security breaches or stolen data, although undoubtedly those incidents continued to happen and will continue to happen for various reasons. Learning how potential intruders will try to break into your system to steal data, or just for fun, is a part of life for most software engineers, although at a much smaller scale than the big tech companies. So today I'll be going over a few ways in which to keep your websites more secure in the new year.
These are higher level solutions intended as a good first defense, however, if you do have a complex system in place and are legally responsible for protecting your user's data then hiring a security specialist to oversee your technology stack is probably the way to go.
Continoulsy updating your companies passwords
This is the easiest and the hardest thing that you can do in order to have a more secure online footprint. I have worked for companies that have never updated their passwords for years to their various online services, such as analytics tools, marketing software, financial management, etc. It's safe to say that you can trust your employees for sure, but it's a slightly different story when you begin to think about the number of employees that have left certain companies and still have access to many of those resources.
Updating your passwords frequently, say every month or so, will decrease the likelihood of any of your services becoming compromised. But it's not just about updating your passwords. Using complex and unique passwords is also key, and this is where the overall complexity lies, particularly for larger organizations or companies with multiple people. Managing 10 different passwords that update monthly and having an entire company aware of the changes does require some type of adherence to company policy.
Keeping passwords on a need to know basis is a much better route for keeping your internal company data more secure. For a few reasons. Not everyone in your company requires every password at all times. Some might even go months without using them, which is perfectly fine. But the less your passwords circulate, the better odds you will have. This isn't about finding a foolproof way to be more secure, as that is not really possible. But more about increasing the overall friction in attaining these passwords.
Using password managers like Last Pass is also a buyable option at a relatively low cost. And a few of the benefits are a more granular control of passwords on a per-user basis and the ability to onboard seamlessly any new employees.
This seems like a no-brainer. If you want to view your data as a user, you login and bam, you have data access. Easy enough for brand new websites that are running on stable frameworks which take care of much of this for you. However, many of the largest websites on the net currently are over a decade old and have thousands of pages and have gone through hundreds of developers and whether authentication is in place on every single of those pages is not guaranteed.
We've seen it time and time again. Intruders will be able to retrieve data on a secure page by simply updating parameters getting added to the page. Again, not as likely on newer frameworks, but many of the biggest websites out there today do not run on newer frameworks.
Keep authentication to a session based approach as much as possible. Lock down directories instead of pages and this really comes down to how you are building your projects. Anything that should require authentication should have some separation from that which does not, at least on a technical standpoint.
This also involves expiring tokens within minutes, like many larger sites do these days. For instance, if a user is requesting to change their password and are emailed a token. This token should be short-lived and should be discarded right after use. And the same would go with any token based approach that you are using in order to send data to and from your users.
Using code reviews
For the most part code reviews get bad reps and usually get framed as a tool to monitor younger developers. Not so, however. Code reviews don't just have to be for brand new pre-production code that is about to launch. They can be a fantastic tool for currently existing code that hasn't been looked at in some time. More than likely any code that has not been looked at in a couple of years is in some need of an upgrade.
So spending some time per week to circulate through your code can only help. Start with your oldest code and work your way upwards each time. Small incremental changes, in the long run, will create a more secure and stable experience each and every time. And more importantly, it will keep everyone in the loop as to how your system works.
Retiring legacy programs
This is a tough one, but sometimes the best solution isn't to fix a 20-year-old application full of bugs. It's simply to begin to phase it out. Either build a replacement or measure the cost of not having it in place. One of the first projects that I ever got to work on was exactly this. The company that I worked for had a 2-decade old system running on a hidden server somewhere with a codebase that no one could find. For years, this application caused issues and no one could fix it because no one knew where it was located really or how it worked.
Within 6 months, that old project was retired and a new one began to take shape. Only the usable functionality was migrated over and anything that didn't make sense or that wasn't being used was safely left behind. This is by no means a cost-friendly solution. But in the long term, it produced fewer issues and created more room to focus on improvements and not just on bug fixes.
Create an ethical work environment
Really, the best way to stay more secure and ahead of the curve is to just follow common sense when it comes to using technology. That goes for anyone in your corporation from the developer to the QA team to the marketing department. And that begins with a companies core values and with each and every employee. From the moment you interview to the moment you leave to find a new job, your companies purpose should include some semblance of ethics or moral right-doing.
Most companies indeed do a fine job in this regard. Most of the companies that I have worked for have indeed put in the extra effort to make sure that information is secure and that users have an enjoyable time using the companies services. But not without the work of course. There are meetings in place per week and levels of management in place along with monthly audits in order to ensure that everything is going down smoothly.
And if you're not that large yet, it's never a bad time to start the process. Make it a point to follow the minimum security measures always, with an aim to improve them as you and your company grow. There really is no reason for companies to get hacked or for data to be stolen. We know the methods that people use to do so, and most of the time they are incredibly simple and are caused by trivial issues.