Spotlight on Security

Padlocks
Photo by Mike Baird on Flickr. Licensed under CC-BY.

Often, computer security is talked about as if it is a feature itself. Many an internet service provider has offered “built-in security” as part of their deal, when what they really mean is “we give you a subscription to an anti-virus package for no extra charge”.

Lots of people will tell you they can “guarantee” that you’ll be secure, by which they mean they will refund you your purchase price if they fail to achieve that.

We don’t buy into that. We approach this key issue a little differently. The truth is that no-one can “guarantee” anything — but what we can do is put ourselves in the best possible position for preventing and, if necessary, responding to security issues.

Putting Best Practices… Well, Into Practice

Notebook
“Notebook” by waferboard on Flickr. Licensed under CC-BY.

Our goal is always to start everything we do with security in mind, not as an afterthought. Security will never be just a star burst sticker for the marketing department.

Before we even sit down and write a new line of code, we put ourselves in the shoes of the attacker. We obsess over what could go wrong, or what could be leveraged, and we even try and ‘break in’ to our own systems. How could this be abused? How can I get around this? How could I make this do something it wasn’t designed to do?

Every risk that we identify in that process is countered in the appropriate way. We can’t eliminate every single risk in every single case, but instead we take time to calculate them, mitigate or minimise them, and ensure that we monitor them in case circumstances change in the future.

Working Positively With The ‘Good Guys’

When someone points out a flaw in something you’ve been working really hard on for a long time, it can be all too easy to feel defensive. Some people even become hostile. But this immediate reaction is unhelpful for security, and can even have disastrous consequences.

The people who really want to attack you aren’t going to take the time and effort to tell you about a vulnerability before exploiting it. So, it follows that you treat the ‘good guys’ with respect and gratitude.

That’s why we’ve spent time on our policy on security disclosures. Our goal is always to work positively and productively with security researchers. Anything else would be taking unnecessary risks for us, and for our customers.

Preparing For The Worst

Hard drive
Photo by DijutalTim on Flickr. Licensed under CC-BY.

It would be dishonest to fail to note that even if you’re doing everything right, things can go wrong.

That is why we sit down, and think about the worst case scenario, and prepare ourselves for it. That is why recovering from some pretty extreme situations forms part of our planning. That might mean having off-site backups that are physically disconnected from all of our infrastructure, so that even a complete cloud disaster won’t prevent us from being able to recover.

It’s likely we’ll never have to use such strategies, but they’re there because to do nothing is to risk everything.

Start Right

Computer security is hard to get right. It is also absolutely critical — for any business, big or small, high-tech or otherwise. We want to start right — not to sell our services pretending that we’re invincible, but to put us, and our customers, in the strongest position we can.

Over the next few weeks, we’ll explore the nuts and bolts of how we’ve gone about this, starting with some easy things you can do to help keep WordPress secure.

No Comments »

No comments yet.
Start the conversation by leaving a comment!

Leave a comment