If your shopping list for features on your new website doesn't include application security features, it should. Our coding standards follow best practices in order to protect our clients from any vulnerability which may put their website at risk. The team of developers here at CommonPlaces is acutely cognizant of common vulnerabilities such as SQL Injection, in which malicious code is written into a string or field for the sole purpose of gaining access to the database or server. We take care to see that there are protections in place to prevent that.
Certainly the recent Heartbleed virus is a notorious example of a bug which can cripple a system's defenses. We manage and maintain our servers so that there are constant updates in place when something like that comes along. We also immediately notify our clients using our servers, and provide information on what steps (if any) they need to take. If a client hosts their site on their own server, and they aren't taking advantage of the services that we provide, we will let them know about situations like the Heartbleed bug, but that is the extent of our involvement. However, if they are using our server, we mandate that they stay up to date on application security. This is done in one of two ways.
1. Application security maintenance by subscription
On a monthly or quarterly basis, depending on the agreement, we will go in and update all modules and apps. Critical situations, however, are addressed immediately.
2. A la carte
We'll resolve the problem, and then send clients the bill for the fix. We do this because we can't expose any client to any vulnerability on the same environment. We must protect all involved.
The open source myth
If you think of the world of web development as being split between proprietary solutions and open source solutions, we frequently deal with a misconception that open source software isn't safe. Nothing could be further from the truth. Open source doesn't mean an open hole.
In a proprietary solution, a business may employ dozens, even hundreds of individuals to update their software and protect their clients. Nowhere is there an iron-clad guarantee of protection from all scenarios. In open source solutions, depending on the platform, there may be a community of hundreds of thousands, all across the world, working to protect users. Information on threats, and methods of protection, travel through these communities with spectacular speed. Everybody is looking for the vulnerability, and for ways to patch and fix the problem.
Open source means that you are getting free software, which is a nice thing, but users must remain vigilant, and constantly make updates. The community publishes information about threats for everyone to see. If you don't take steps to correct that problem, and someone comes in to exploit that vulnerability in your site, you have only yourself to blame.
Looking into the future
Heartbleed was a really big flaw, and not too difficult to exploit. We may never see anything quite so flagrant again. That said, you will always need application security because there are individuals who want your stuff and are looking for ways to get it.
Because of that, application security scanning is probably going to increase in popularity and demand. We've worked with WhiteHat Security, which provides automated scanning of applications, as well as human intervention by looking for ways that you may have exposed yourself to threats.
The challenge of the puzzle
For developers, who love puzzles, identifying a security risk is one of those fantastic moments of success on the job. Recently, a five year old boy found vulnerability in Xbox. His father, a developer, is absolutely thrilled and proud of the boy for figuring it out. Sometimes, though, it takes a child-like imagination to uncover a problem that everyone overlooked. You have to say, 'What happens when I do this?'
Take credit card information, for example. Best practices will tell you never to store credit card records. Yet, some companies absolutely must store that information because of the nature of their business. There are certain rigid rules and regulations about how you do that while maintaining strict security for all concerned. Business workflows, then, dictate how development teams will work around seemingly impossible scenarios. It follows, then, that developers are always trying to find a hole in the system, and are thrilled when they come upon one. Of course, the next step is in patching that hole.
When it comes to a website, nobody wants to spend more than is necessary, of course. But, do you really want to have somebody worm their way into an application which operates an essential part of your website? You can't see the flaw, but you can't take the risk of losing your business by doing nothing. Web application security is insurance, and while no one likes to buy insurance, no sane person can live without it.