In the previous article, we have listed the most popular and dangerous cyber threats. In the second part of the mini-series, we will try to write down the most popular ways to help you prevent those threats from destroying your hard work and users’ reputation - and in the end - protect your business.
Basics steps to secure your product
As you can see from the previous part, the number of threats out there is huge. Let’s look at the best ways to secure your website and make your users feel safe using your product.
- Keep your software up-to-date
This is a very often forgotten part of the equation. Too many times as a software engineer have I seen a situation where a client pushes new features but is reluctant to deal with technical debt, spending time on upgrades, etc. And this is actually one of the easiest ways to prevent serious threats.
In my opinion, any software engineering process should be capable of spending at least 20% of the time on maintenance, upgrades, and security.
- Always use HTTPS
This is a no-brainer. Luckily more and more websites and systems are already encrypted, but if you happen to own a product that doesn’t use HTTPS - please, deal with it as soon as possible.
- Password policies
This is a two-way street. Naturally, enforcing some password policies on your users and adding 2FA to your system is a sage choice. Still, people often forget that the same MUST be applied to the company itself - and any company that creates the product for you.
We’ve seen countless attacks caused by a lack of security on the vendor or company side (for example recent Uber attack).
- Use good and secure hosting
Another no-brainer - never try to save money on shady hosting services. Spending 30% more on a well-known, good brand is a must. Why? Because most of the time, this extra budget you spend is used to make the hosting service secure and up-to-date.
- Try to record accesses to your system all the time
Similar to password policies - it’s not only important on your product side but also vital when it comes to your company policy and your vendor's policy. I will never stop repeating that the weakest link in most systems is the human factor.
- Never use default settings for any plugins and modules
Whenever using external systems, plugins, or frameworks, you must always change the default settings. Of course, using them is easy, as they work out of the box, but the danger is enormous. One of the most uncomplicated attacks is to check those values by the attacker.
- Backup your backups
Backups are obvious - hopefully. Not only backups of the data that is within the system but also source code, documentation, etc. Naturally, the backups MUST be extra secure and password protected, but it’s also vital to have a backup of your backup. I know it may seem like going the extra mile, but believe me - you will thank me for that suggestion when anything happens.
- Spend extra time on server configuration
The great thing about software engineering nowadays is that many things are working out of the box. It’s similar to the default settings I mentioned earlier.
Server configuration is one of the first steps you should dig into. Most servers have a lot of features built in. The basic step would be to instantly turn off anything you do not use - this way. You will know better what you have to control in the future.
- Use WebApplication Firewall
A WAF protects your web apps by filtering, monitoring, and blocking any malicious traffic coming to your application, preventing any unauthorized data from leaving it. A proxy server acts as an intermediary to protect a client’s identity. At the same time, WAF operates similarly but in reverse, acting as an intermediary that protects the web app server from potentially malicious actions. WAFs can be software, an appliance, or delivered as-a-service. Policies can be customized to meet the unique needs of your web application or set of web applications.
- Be sure your company network is secure
Last but not least. We’ve been talking a lot about your product codebase and its parts. But there is another thing that is very often overlooked.
It’s the security of your company network, as well as the security of the network of your vendors. This is going really an extra mile, but believe me - it’s worth it.
Of course, those techniques are just some examples - the topic is very complex, as the attacks and threats are becoming more and more complicated.
That is why after taking those simple steps, you should always consult a company specializing in a security advisory with the proper knowledge and experience to perform audits.
We strongly encourage you to contact our team so we can take care of your product and make it more secure and reliable - in the end, security easily transfers into your company's worth.
Reach out to us at firstname.lastname@example.org.