Article

Alexis Ternoy
Alexis Ternoy 20 February 2015
Categories Ecommerce, Email & eCRM

Who's Responsible For Web Application Security?

You've probably seen the posters that say health and safety is everybody's job?

You’ve probably seen the posters that say health and safety is everybody’s job.



Well, that’s how we feel about security too at New Bamboo. There’s a lot of personal and customer data stored in web applications, ranging from email addresses to credit card details. If compromised, this data can be traded on the black market and might end up being used for fraudulent transactions, spamming or to crack user accounts on ecommerce sites. It’s a target, and protecting it is both our job, and yours.


We’d like to see product owners and client organisations taking a keener interest in security. It often appears that companies only take the security of their applications seriously after they’ve been hacked. The clean-up costs can be immense. One report estimates the worst cyber security breaches cost large companies an average of between £600,000 and £1.15 million, excluding any costs arising from reputational damage. The average cost doubled between 2013 and 2014, too. Settling a bill that big is bound to focus the mind, but at this point the damage is already done. There are customers frantically changing passwords and worrying about what else might have been compromised. They’re unlikely to trust you again. If you’re going to ask people for data, you have a responsibility to look after it and to be proactive in ensuring it is as secure as possible.


So what can you do? The most important thing is to make security a priority within your organisation, talk about it, and allocate budget for it. One practical step you can take is to commission an independent company to do a penetration test, where they attempt to infiltrate your web app. At New Bamboo we work with penetration testers, and we typically give them the entry points for the application, tell them what it’s supposed to do, and give them some example data and credentials so they can log in. They then try to break it, and break into it, to see how the app responds to a targeted attack. We’re confident in the security of our applications, but we still think clients should take the initiative and thoroughly test them, and demonstrate security leadership to their customers.


On our side, we invest in making sure we are using the latest tools and guidelines. We recently gave the whole company a day’s training on web security, delivered by former colleague Najaf Ali, who now runs his own agency. Allocating a day to this represents a significant opportunity cost for us, but is something we consider to be an important investment. During that day, we looked at different types of vulnerabilities that can be exposed in typical web apps, many of which are automatically protected against by the Ruby on Rails framework. Rails comes with excellent security features out of the box, and we augment it with third-party libraries, automated scanners and best practices to ensure the applications we build are as secure as possible. This training enabled us, though, to understand the different ways an application can be attacked and how applications have been cracked in the past, so we are better prepared to understand and respond to any new vulnerabilities that might be discovered in the future.

 

So next time somebody asks you who’s looking after the security of your app, be bold: tell them you are, and they are, and we are. Security is everybody’s job.


The New Bamboo Blog: https://www.new-bamboo.co.uk/blog/

More on my blog http://outofoffice.today


Read More on Digital Doughnut

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
14 Amazing Examples Of Brands Killing It With Facebook Ads

14 Amazing Examples Of Brands Killing It With Facebook Ads

How do you design the perfect Facebook ad that converts? A lot of people will start throwing money at Facebook, but not see any success. This comes either because they don’t have a proper strategy for their Facebook ads or their ads are not well designed. But for those brands which have a good strategy and work hard to test and refine their advertising, Facebook ads can generate huge profits. And we’ve found 14 of such examples.

Luisana Cartay
Luisana Cartay 11 December 2017
Read more
Top 10 B2B Platforms to Help your Business Grow Worldwide

Top 10 B2B Platforms to Help your Business Grow Worldwide

Although the trend of a Business to Business portal is not new but the evolution of technology has indeed changed the way they function. Additional digital trading features and branding has taken the place of traditional outreach methods to get in touch with targeted buyers or sellers.Here are some of the best and fastest growing global B2B platforms that are helping thousands of businesses in the world to grow and reach their international and local clients.

Salman Sharif
Salman Sharif 7 July 2017
Read more
4 Important Digital Marketing Channels You Should Know About

4 Important Digital Marketing Channels You Should Know About

It goes without saying that a company can't do without digital marketing in today's world.

Digital Doughnut Contributor
Digital Doughnut Contributor 5 November 2014
Read more
Collection Of The Best Email Testing Tools Online

Collection Of The Best Email Testing Tools Online

Don’t be afraid of email testing. There are many free or freemium tools online that can help you with testing your SPAM score, deliverability and even the rendering of your email. We feature 30 email testing tools in this article. Check out the complete list!

Roland Pokornyik
Roland Pokornyik 31 October 2016
Read more