In today's digital age, maintaining and managing your web platforms is crucial for securing your investment and ensuring the security and longevity of your website or web application. With new threats constantly emerging, it is essential to apply regular fixes and updates to combat these vulnerabilities.
Understanding Vulnerabilities, Exploits & Software Updates.
Vulnerabilities exist in all software, including that used to create and run websites and web applications, and bad actors are always on the lookout for weaknesses to exploit.
They analyse commonly used software, find vulnerabilities, and develop methods to gain control of systems with potentially catastrophic results for the system owners, operators and users.
To counteract this, reputable vendors of software and systems such as operating systems, content management systems and development platforms take steps (including the hiring of ethical hackers, also known as "white hats,") to identify and fix these vulnerabilities.
Third party organisations also analyse software systems utilised by organisations scanning them for vulnerabilities that malicious actors may exploit, publishing information about them and sharing this information to the vendors themselves and / or the wider web community.
Through responsible monitoring of their platforms these vendors will release patches and updates to their software to their customers to close out these identified vulnerabilities as they are discovered, and regularly applying such updates forms a critical part of any maintenance and business continuity plan.
Regular Library Updates & Software Patching for Web Apps.
All web applications are created on particular platforms, using specific building blocks - multiple programming languages and libraries (for example HTML, PHP or .NET).
For custom web applications such as client portals or business process automation systems, regularly updating these libraries used in their development and applying patches is essential.
This process ensures that any newly discovered vulnerabilities within these building blocks are addressed promptly as well as improving application performance and correction of any bugs.
Good web application hygiene goes hand in hand with a strong maintenance and management process, making your apps more secure, more reliable and more productive and delivering more bang for your buck.
Keeping an Eye on Things: Monitoring, Alerts & Log Analysis.
Real-time monitoring and alerts are vital to provide an early warning system for your website or app. Monitoring systems can detect unusual traffic patterns for example, in the event of a denial-of-service (DoS) attack, allowing for swift action to mitigate the attack.
In addition, periodically studying log files can help identify any probing activities that might indicate intrusion attempts or an impending attack.
Such log file analysis and site monitoring activities also provide valuable insights into potential optimisation of your sites or apps, and provide vital information for incident reporting and follow up - vital to ensure you learn and strengthen from experience and avoid a repeat of any issues that may occur.
Technology Profile Selection
The choice of technology plays a significant role in security.
For example, while WordPress is a popular content management system it's popularity means it is frequently targeted by hackers and other bad actors. One reason for this is its extensive use of third-party plugins and extensions. By selecting the right plugins, those provided by reputable vendors who provide regular updates and patches you can massively reduce this risk.
For our clients who happen to use WordPress, Communicraft maintain a library of recommended and regularly updated plugins to minimise risk. A due diligence exercise is employed for any new modules that may be required by a client for new functionality.
The same will apply for all tech solutions applied to your project (including of course other Content Management Systems such as Craft CMS). With a CMS, the more functionality provided "out of the box" the lower the requirement for third party extensions and so the the lower the potential "attack surface".
Smart tech selections minimise this attach surface and de-risk the project.
Educating Your Team
The most significant attack vector remains human error. Training your team to recognise and respond to threats such as phishing attacks is critical. Phishing emails often appear to come from reputable sources, tricking users into clicking malicious links.
Keeping your team informed about evolving threats can significantly reduce the risk of such attacks.
Furthermore having effective security policies and procedures among those with access to your applications or website administration (including CMS), including reporting policies, are critical.
Security Audits & Penetration Testing
Penetration testing involves hiring security specialists to attempt to breach your system, identifying gaps and vulnerabilities. They produce detailed reports, often in a traffic light format, highlighting and prioritising areas that need attention. Addressing these findings promptly helps maintain a robust security posture.
With these types of attack becoming increasingly sophisticated, annual penetration testing by a specialised security consultancy is highly recommended. There are many firms operating in this growing space, so select one which has a strong track record. We're here to assist in this selection process and can make recommendations.
Automated services can support penetration and vulnerability testing in ongoing monitoring, though it is important to remember that these are tools, they wont do the job for you, and are most effective in supporting a security policy and formal security audits.
Enterprise Ireland have recently launched the "Cyber Security Review Grant" for Irish businesses to assist you in improving your security posture.
Access and Password Management
Effective management of access controls and passwords is another key aspect of security. Enforce strong passwords and ensure they are regularly changed. It's also important to manage staff access diligently, removing permissions when staff leave or change roles.
Business Continuity & Disaster Recovery.
Everything in this article falls under the broad category of business continuity for your website and / or web applications.
A comprehensive business continuity plan is essential for dealing with unexpected disruptions. This must include having a reliable point of contact, reliable processes, regular updates, measurement and reporting and ensuring robust backup and disaster recovery plans.
Regular backups are crucial, but they must be part of a broader disaster recovery strategy that allows for quick deployment in the event of a system failure.
Just having a back up is not enough, it is just one element of a disaster recovery plan that will ensure business continuity.
Review Your Web Maintenance Agreement
Given the complexity and importance of maintaining and managing web platforms, it is essential to review your web maintenance agreement regularly. Ensure it is up to the job and provides adequate protection for your web platforms, your business, and your brand.
An effective maintenance agreement should cover all aspects of security, from regular updates and patching to comprehensive disaster recovery plans. It should also include provisions for educating your team and ensuring ongoing compliance with an effective security policy.
We’re here to help
Communicraft have been planning, developing, securing and maintaining web platforms at the highest level since 2001. Our team of experienced developers, designers and project managers are here to help so get in touch with any queries or concerns.
Ask us about our website and web application business continuity plans.