Security was on everyone's mind last year, including mine. One of the things I was keenly aware of was that most people talk about it fearfully - including me. I wanted this article to be different. We all know there are people out there who want our information - that hasn't changed. As a web development company, however, we must do our part to make obtaining that information more difficult.
No one is perfect and the landscape is always changing, so developers
have to stay ahead of the trends. The fact is that many don't. When OWASP
was first emerging, I used their documentation in my own application
testing - that was nearly twenty years ago. Now, my own company creates
Web and mobile applications for a variety of clients and industries that
have a range of requirements.
Earlier this week, someone asked
me whether I had experience with Internet security. That is something of
a loaded question since there are really two different components to
the broad topic of Internet security. On one side is the security of
physical devices (routers, servers, mobile devices, and entire
networks). On the other side is the security of the applications which
run on those physical devices. While I do have a understanding of the
broader topic of Internet security, my expertise lies primarily in
crafting applications with security built-in (rather than built on,
which is more of an afterthought) and that work well and are very
usable. When it comes to the security of physical devices, I turn to my own experts who have a greater knowledge about that aspect than I.
On the topic of my expertise, we practice security through obscurity and layered security
(or layered defense) to build security into our applications. It's not
entirely impenetrable, but anyone who tells you their system is
impossible to hack is either delusional or lying. There are a great many
methods that go into implementing these practices and I doubt this
audience has the urge to read about it (unless it's late at night and
you need some help falling asleep).
Since there is always that
chance of security failure, we also carry a professional liability
insurance policy which covers us in the event of a data breach. If your
company is interested in securing a Web or mobile application or if you
need an application built with security in mind, we'd like the
opportunity to speak with you. Contact us with any questions you have.