Altamira

Web Development Security Checklist

What’s the first thing that comes to your mind when talking about a website? Design? Functionality? Marketing? All these things certainly matter but what you should never forget is security.

According to a study by Scmagazine, a cyberattack occurs every 39 seconds. Moreover, in March this year, many companies experienced a surge in activity from hackers when the pandemic began. Their activity was three times higher than in February of the same year what made CEOs think about strengthening cybersecurity. After all, when malware infects a website, it can easily collect data about you and your customers.

According to a new report from Microsoft, the number of COVID-19-themed cyberattacks increased to nearly a million per day during the first week of March.

Thus, attackers gain access to confidential data belonging to both existing and new site users. In addition to stealing information, automated hacking tools can also infect computers, leading to even more severe consequences. That is why it is so essential to create reliable site protection and continuously improve it. Every day, thousands of new malicious programs are created that are tuned to search for vulnerabilities in your site and damage it.

Cyber security checklist:

Most attacks have significant financial implications. It not only affects user information and theft of payment information, but it is also significantly more expensive to restore a site after malware damage than maintaining protection at the required level. Note that in the event of a threat to user information, the company incurs financial losses and damages the company’s reputation.

Companies like Marriot, Twitter, and others that have been hit by cyberattacks this year say the costs of data breaches are currently said to exceed an average of 20% of the company’s revenue. Cybercrime is projected to cost the world approximately $ 6 trillion by 2021. You may be able to minimize the financial and technical damage from cyberattacks, but your customer base can still suffer.

Duration of data leakage elimination can take from a couple of weeks to several months, which means that the site may be temporarily unavailable. All this can lead to loss of income if you sell goods or services using the site. You can also lose your customers’ trust due to problems in the work of your web resource. Considering the above-listed factors that are a threat, it becomes necessary to focus on protecting your projects.

Cyber attacks in 2017

“No big deal.” You might say. Well… To jog your memory, we prepared the list of the top 3 most extensive internet security breaches of 2017:

WannaCry malware

One of the most impudent and spread cyber-attack of 2017 was made by WannaCry malware. The virus infected more than 300k computers running Microsoft Windows OC all over the world. Hackers extorted bitcoin payments from their victims for restoring the data.

The next day after the attack, Microsoft released the emergency security patches for different Windows OS versions. Nevertheless, since the very first computers were hit by ransomware, users paid about $130k in total for restoring their data.

Petya cyber attack

Summer 2017 remained hot for many Ukrainian governmental structures and private enterprises that have been attacked by Petya ransomware. The unknown malware paralyzed airports, the capital’s metro, banks, supermarkets, and thousands of small companies. The virus was spreading so fast that people all over the country were afraid to turn their home PCs on.

It appeared later that the most-used accounting software in the county M.E.Doc had been compromised to spread the malware that caused the first “wave” of attack.

Now, the lesson is learned, and the government realized the need for cybersecurity department enhancements.

Uber data loss

2017 was not the best year for Uber, and security issues have only exacerbated the deteriorating situation. It turned out that the personal information of 57 million US citizens was stolen in October 2016, and the company decided to hide this fact.

Hackers managed to steal personal data like names, emails, phone numbers, and driver’s license numbers. Nevertheless, Uber claims that the location data, credit card numbers, social security numbers, or birth dates have been kept safe. The company also confirmed that they’d paid $100k to hackers to dele the stolen data and keep the breach in secret. But as we know, what is done by night appears by day.

Plus, you probably heard of the Equifax hack that left over 145 million Americans’ insecure identities forever at risk, including Social Security numbers, dates of birth, addresses, and, potentially, driver license numbers.

Information security best practices checklist

Ideally, if you are making a decision on the development of the site and already at this point, you realize what level of security you need on the site so that the developers can consider all your needs, not only in functionality but also in functionality in security. It may be that you already have a project, then it’s time to check it for weaknesses and fix them. Whether you’re selling a product (like an app) or using some software for your internal business needs, the CIA triad is what protects you. The CIA stands for confidentiality, integrity, and availability.

Cybersecurity checklist:

#1 Choose a secure web host

Web hosting begins with website security. If your provider does not use secure servers, creating a secure project will be a severe challenge.

When choosing between several web hosting options, please pay attention to how well they manage their servers and what tools they offer to protect. It would be best if you understood that it is impossible to provide 100% protection; however, a reliable provider usually provides the following:

  • Reliable backup and recovery
  • Secure Sockets Layer (SSL) support
  • Standard uptime
  • Scanning and protection against malware
  • Protection against distributed denial of service (DDoS) attacks

The SSL certificate is, in most cases, the default in the service package, but it is still worth double-checking. It helps protect your site by making data transmission secure. For example, a customer places an order on your website and leaves their details (be it a credit card number, address, or phone number), they will be protected from theft.

#2 Encrypt sensitive data

Such data as access tokens, billing details, emails, etc., must be encrypted. If you’re using AWS, you can do it directly in a database using AWS Aurora.  This will efficiently secure your data.

Important! If you plan to develop an e-commerce site, consider that your web hosting is compliant with the Payment Card Industry (PCI) security standard. Only thanks to this standard, customer information for all types of card payments will be protected. If your host does not directly support it, it must be compatible with other third-party PCI-compliant shopping cart API providers.

#3 Use only secure software

Before using any software, scan it for vulnerabilities and keep it up-to-date. Moreover, don’t forget to disable or totally remove any software that is no longer in use, as it might become the backdoor for hackers.  

I recommend using open-source software and a live development team whenever possible. In such software fixes security problems much faster and can be analyzed for the presence of backdoors.

Dmytro Nefedov, DevOps

#4 Consider wise authentication

All passwords must be irreversibly encrypted. You might also implement the password rules to avoid using weak ones like “password” or “12345”. But don’t overdo it, instead use multi-factor authentication (2FA) like SMS authentification, authentication via phone call, and email confirmation.

#5 Control the web traffic

Use the HTTPS protocol and TLS for the entire website, not only for forms or logins. Content Security Policy might be hard to develop, but it’s totally worth the time. Moreover, if using cookies, they must be HTTPS only so that no one can read them using JavaScript.

#6 Control the infrastructure

Reduce manual operations as much as possible to ensure you can do upgrades quickly and automatically. Make logging centralized to avoid SSH for retrieving or accessing logs. Consider using an intrusion detection system (IDS) to put advanced persistent threats (APT) to the minimum.

When developing a new project of any complexity, create a security guideline to train your act, so a single backdoor is left for hackers.

#7 Automated website backups
Hospital backups of cases help to deal with problems such as the broken page or hacked web site. It is sometimes not convenient to perform manual backups so you can set up automatic backups on your web host.

#8 Have a plan

No matter how secure your website or mobile app is, anything might happen, and you need to have a plan B. Hiding information like Uber did not provide a good idea, so think of the possible consequences, prepare a speech, and keep in mind the potential ways of solving the problem.

Considering all aspects of safety when creating a project is a necessary but not a sufficient condition. Online security is never absolute. Therefore, the safety of a project is proportional to the attention you give it while maintaining it.

Dmytro Nefedov, DevOps

To summarize

We hope the post didn’t bring you a dose of paranoia but instead increased your awareness of cybersecurity importance. For any business to be genuinely profitable across all online platforms, security is an essential factor that needs to be addressed. We, as developers, always implement this to the maximum in our projects.

Let’s reiterate the crucial points you must remember to keep your site secure:

  • Choose a secure web host.
  • Encrypt all connections and secure user logins.
  • Automated website backups.
  • Control the infrastructure.
  • Keep your database safe.

We, in Altamira, care much about information security at each step of development. From developers to system administrators, each team member sticks to the special checklist, keeping the data safe and secure.

FAQ

Try to hack your project. Self-hacking is a way of introspecting your web applications to see how secure they are against common cyberattacks. Start with penetration testing. This approach includes attempting to hack into your application systems (APIs, servers, etc.) Proactively test your app beyond regular use. Consider the Open Web Application Security Project (OWASP) checklist to guide your test hacking.
Encrypting all your connections is essential for websites requiring any form of registration or transaction. Start by using an SSL certificate and additionally implement HTTPS (Hypertext Transfer Protocol). To protect individual pages that require authentication, use the highly secure password standard, which requires users to log on with secure credentials. To store passwords on your site, you need to use strong encryption; for example, bcrpyt, make it impossible to obtain passwords in the event of a data leak. Other factors to consider are OAuth implementation and password reset tokens.
Configure the operation of all services through the minimum number of ports. This approach is not protection, but it can complicate the task for attackers. Host the internal database and services on private VPCs that are not visible to prying eyes. Be very careful when configuring AWS security groups and peer-to-peer VPCs to avoid making the services public. Configure services only to accept data from a small number of IP addresses. Use AWS IAM roles, not root credentials. Change passwords and access keys regularly.
Exit mobile version