Web Security Requires Circles of Defense
It's common knowledge here in New England: layers are the best protection from the winter cold. The different layers and materials provide gaps that allow pockets of warm air to form. This insulation prevents the biting winter cold from getting to your warm fleshy insides. The longer you wear the clothing, the more effective the layers tend to be, and if you've ever felt bone-chilling cold, you know why this is important.
In the web security world there exists a similar, though not an exact, 'layers' analogy. Unfortunately, the length of time you practice good security policies does not prevent any future issues, but building good security from the start and leveraging effective layering certainly does.
Layered defense is a tactic first perfected by early military strategists. Storied victories throughout history, including the Battle of Kursk, World War 1 trench warfare, the First Iga War, and Hannibal's victory at Cannae, are all examples of a successful layered defense strategy. With this tactic, one accepts that some lines of security may fail, but consecutive layers and planned failures will ultimately repel attackers. When building websites, it is specifically useful to implement multiple defense layers, so that a single vulnerability cannot be exploited to affect an entire site.
Modern Web Security Layers
Examples of security in defense include, salting and hashing password databases, restricting access to administrator login pages, providing users only the permissions required to perform their functions, and the use of honeypots (traps that serve to waste the time of an attacker, while defenders can gain useful intelligence and protect vital areas). If any of the above sounds foreign to the person in charge of your website security, it is time to update training and/or bring in outside help from specialists who focus on defense strategies.
Attackers can strike anywhere and at anytime and the retail industry has been ground zero for data breaches. Major eCommerce platforms and providers should build security layers by default, and many platforms, at the very least, have bolted on solutions that provide some protection. Of course, these initial security tools are often incomplete and insufficient. It is of great importance for enterprises to analyze existing security frameworks and determine if more layers and protections are needed to safeguard company and customer data. The failure to practice solid defense processes can lead to high-profile breaches, such as those at a famous news site breached by their 3rd party tools or a now well known dating site for illict affairs.
5 Common Excuses for Not Adressing Security
Despite these high-stakes, objections to serious security initiatives are all to common. I can hear the common responses of "It's too expensive" or "We'll fix it after we get off the ground". The reason that these excuses are frustrating is because there's always a justification to put off proper planning, as there sometimes exists a need to ship a product that isn't necessarily perfect. However, if you maintain security as a top priority from the beginning, it is far easier than going back later to bolt security on to software without creating more vulnerabilities and complications.
Let's respond to these common objections in turn:
- It's too expensive - While initial cost can be higher than without, it's usually time spent in proper planning before any code is set down. Proper planning in the beginning reduces costs later when you've got clients actively using your product and then need to refactor.
- You're going to get breached anyways - Attackers are always looking for the biggest payout for the least risk and effort. The more valuable you are, the higher the chances are that you're worth the effort to, and that means even more protection is needed. According to recent reports 95 percent of security incidents involve mistakes made by people within an organization. This shows that proper education and processes will significantly reduce attack vectors and surface area. With proper permission settings, even a malware infection would be easily mitigated. The point of defense in depth is to limit your exposure and reduce financial impact to your organization.
- Customers don't care about security - This is only true until is isn't. With the increasing scrutiny of security, consumers expect businesses to handle the security aspect of transactions while maintaining secure transactions. Studies now show that 60% of consumers are concerned about the security of online transactions and believe merchants are not doing enough to protect data. Jittery buyers are conversion killers and will make your site less profitable, however, there is a silver lining. If you can show consumers that your site is secure, it greatly increases the liklihood of a purchase.
- We'll fix it later - The car analogy for this objection is attempting to install an ingnition in your car, while it's driving down the highway at top speed. As soon as you try to shift gears, everything comes to a grinding halt. I doubt that you would ever want to send your users hurtling through the windshield on to the pavement, but this is a very common workflow. Even bolted-on security, added after intial deployment, provides the equivalent to seatbelts and airbags to soften the blow for your consumers. This methodology always leads to more friction and more time spent working around your production software, so that current features are maintained while new features are added.
This article was written by Philip Truax