Unlike a guide or helpful hints, this is more of a list of things to know when choosing a web developer from a security perspective. Security is paramount to anything worth having. If you can’t secure it, then eventually it will be stolen or abused. And security in web speak is Hacker. White hat hackers are good guys, the other type may require a ransom. Don’t let the other type bite you in the butt!
Web Development Bootcamp
If you’re not familiar with the web development industry, you can sometimes find boot camps, videos, or ads that promise to teach how to build a website in 12 weeks. Wait .. hold on, you’re telling me that something that most people should go to a 4 year college for, you can teach me in 12 weeks. Yes indeed, just enroll and we’ll have you churning out websites in no time. And that ladies and gentlemen is the problem.
There are many people that learn web development from home or through some boot camp (which is not necessarily a problem as long as the drive is there to learn the advanced parts of it so as to look out for your client that depends on your expertise). They in turn get hired by managers looking to expand their teams and give this nice person a chance. BTW, nice has never prevented an attack or compromise attempt from bad actors. If that is you, no shade, just there’s a lot to programming in general, and there’s a lot that is missed in corporate level websites by accepting these nice people to do cutthroat black/white job. Note Google does not hire 12 week boot camp newbies unless they know their stuff, which is VERY unlikely from just a 12 week boot camp.
It should be easy to see how a company can get one of these newbies to work on their website and after they complete some simple task, they will be moved up through the ranks and start working on the real stuff, which hackers lick their lips at. Well, sorry to break it to you, 12 weeks to start spitting out code is far from enough time to do anything seriously. There’s a lot to programming and you may want to skip the developer that learns from home. Insert Hacker!
Web Security
Hacker’s take advantage of poorly written code. Anyone can code .. sure. But would you want your confidential business secrets to be compromised or be required to pay a ransom so as to save face from embarrassment? Probably not. But the hacker can easily find holes in the code from in essence lightweight programmers that do not understand the full picture of how the web works and how the feature they are working on can be compromised. They read a few lines and know a few things and can add text, lists, a contact form, and images to your page, but although all of that is nice, you’d probably skip out on the little it brings if you knew you may have to deal with the dark side of the web, which can require ransoms. Scary stuff .. right at your doorstep. Well if you’re worth the hassle anyways.
And trust me, there are computers from all over the world that will scan even your website to at the very least leave SPAM in a comment. Let’s look at a possible basis for logic flaws that plays into the 12 week website designer. First the developer learns how to develop a website. However, this developer does not understand the full landscape because of a lack of experience or knowledge gap. So there are many amateur assumptions made about how some function will work. Compromising those assumptions is usually not a tall task from a hacker. Even when there are multiple college educated developers with full teams in charge of a multi-million dollar website, the code if not cohesive between teams can still be compromised. And looking at millions of lines of code will be a tall order to make cohesiveness standard.
Note that these web developers do not necessarily know that they are making assumptions that could compromise the organization they work for. They are in essence just trying to get the feature to work, and possibly work well. Their mind is not filled with the possible ways the data can be manipulated and compromised. As you can only address what you know, the issue is knowledge gap, not necessarily bad intentions. This knowledge gap is even bigger in the 12 week developer.
Web Developer Knowledge
You want to be on the correct side the knowledge gap. Of course, when you purchase a product or service, there is no way to ensure that it is looking out for you (lack of knowledge etc). However, if your developer is not talking about hacker type stuff, they most likely don’t have a complete picture of the landscape considering how important that is to protecting your information.
So how do hackers take advantage of the landscape. Well first, we have full control over what information we send to your servers. This knowledge is a huge piece of the missing puzzle. Not knowing this is in essence what causes programmers to make amazingly faulty assumptions. Most of being compromised comes with the fact that websites must interpret languages on the fly.
Web Application Attacks
- SQL Injection
- Cross Site Scripting (XSS)
- Attacking Access Controls (Can I get more privileges than I should have?)
- File path traversal attacks
- Brute force attacks
- Logical attacks in code
- Many others (hacking is creativity in the technical world)
If you hire us to work on your website, we will improve your site from a security perspective in addition to whatever pain task you need worked on. We do this knowing that if the wrong person with malicious intent comes to your site, it could eventually give you many headaches .. which of course we would never want you to experience considering we can do something about it.
So choose your website developer wisely. If you never expect to have a large online presence or your users are not part of creating your website functionality, then it may be OK to skip the hacker steps (until you become famous anyways). As with everything in life, hackers need value from their efforts also. If many brainiac actions are performed with little return, well we may try for something a bit more interesting next time. Hopefully, your website won’t fall into their give me a real challenge with benefits campaign!