Building a platform with security built-in from the beginning isn't a common occurrence. Many freelance developers or small development teams consider security late, if at all, which results in what we call "bolted-on" security (versus "built-in" security). Bolted on security, while still security, tends to poke a lot of holes in an application. Here are three things to discuss with your Web team about before you start the next project or enhancement.
Credit Cards & PCI Compliance
Many custom application platforms and all ecommerce sites take credit cards, but blind trust of the components used to process them is common. If you're going to be accepting credit cards, make sure that you're doing so securely. Your Web team should be using a method called tokenization to secure the credit card information. This prevents the cards from being stored in your servers and offloads the need for a PCI compliance audit off on your merchant account.
I was recently enlightened by an employee that many college professors at a local university advocate not encrypting the password for class projects because "it's just a prototype". The problem with that philosophy is that, in the real world, the prototypes often become the product or the production system. If you don't start with encrypted passwords, it won't be added in the future. This is how so many passwords were easily stolen from Sony when their Playstation Network was hacked - passwords were all stored in human-readable, plain text form. Make sure your passwords are properly hashed and salted. If your developers are assuring your passwords are safe because they are using something called "MD5", you need to find a new Web team - that encryption method has been considered insecure for several years.
This isn't something that comes up very often, but should. When new systems are built, it's often assumed that internal people can be trusted. Which is great.. Until they can't be trusted. Make sure that the system you're crafting implements role-based security and that accounts, even internal ones, can be disabled easily. It's unfortunate, but social engineering and employee theft are both very common methods of gaining access to a system. Entrepreneur recently posted a great article about employee theft and cyber-security which highlights the need for proper access control, regardless of the number of employees you have.
If you're not sure if any of these methods were used in your Web or mobile application are, contact us. We can help you find out the answers and, if necessary, help you improve your application security.