Security was on everyone's mind last year, including mine. One of the things I was keenly aware of was that most people talk about it fearfully - including me. I wanted this article to be different. We all know there are people out there who want our information - that hasn't changed. As a web development company, however, we must do our part to make obtaining that information more difficult.
No one is perfect and the landscape is always changing, so developers have to stay ahead of the trends. The fact is that many don't. When OWASP was first emerging, I used their documentation in my own application testing - that was nearly twenty years ago. Now, my own company creates Web and mobile applications for a variety of clients and industries that have a range of requirements.
Earlier this week, someone asked me whether I had experience with Internet security. That is something of a loaded question since there are really two different components to the broad topic of Internet security. On one side is the security of physical devices (routers, servers, mobile devices, and entire networks). On the other side is the security of the applications which run on those physical devices. While I do have a understanding of the broader topic of Internet security, my expertise lies primarily in crafting applications with security built-in (rather than built on, which is more of an afterthought) and that work well and are very usable. When it comes to the security of physical devices, I turn to my own experts who have a greater knowledge about that aspect than I.
On the topic of my expertise, we practice security through obscurity and layered security (or layered defense) to build security into our applications. It's not entirely impenetrable, but anyone who tells you their system is impossible to hack is either delusional or lying. There are a great many methods that go into implementing these practices and I doubt this audience has the urge to read about it (unless it's late at night and you need some help falling asleep).
Since there is always that chance of security failure, we also carry a professional liability insurance policy which covers us in the event of a data breach. If your company is interested in securing a Web or mobile application or if you need an application built with security in mind, we'd like the opportunity to speak with you. Contact us with any questions you have.