IN-DEPTH Web app security

Former Dark lord of network operations Tim Armstrong teaches the mystical arts of systems, security and keeping your stuff secret and safe.

Illustration: Kym Winters

A nother day, another high-profile company gets hacked, and more customer data falls into the wrong hands. The companydu-jour will say how its security was up to all the latest standards, and how this was clearly a state-level attack. Yet upon detailed post-mortem it’ll usually be revealed that some web-crawler got lucky and started pulling data from an unprotected endpoint.

It’s a common meme among programmers that businesses never have time to invest in security before an attack. Once an attack has taken place, the managers are all at your desk asking how you let this happen. Forgetting entirely that you’ve been calling for more time to focus on refactoring and security for several months, now only to be ignored.

As sad as this reality is, it’s not really the managers’ fault. The pay-off of a new feature is tangible: it has a fixed start and end; it links to a business objective; it is, for lack of a better word, quantifiable. Security and refactoring, however, is quite the opposite... or is it? If you can convey the risks and benefits without sounding like a broken record then you can change your culture for the better.

This series will empower you with the tools to do just that and make security part of your culture. Kicking things off we’ll discuss some fundamentals and motivation, which will be followed with detailed implementation tutorials in future issues.

Security breaches are frequently more than just embarrassing, and can range from mild inconvenience to life-destroying for those affected. If a company leaks its customer’s credit card details, the odds are that eventually you’ll get that money back, either through the issuing bank’s insurance scheme or through charge-backs against the fraudulent transactions. While the charge-backs can be difficult for any third-party businesses that get inadvertently caught up in this situation (generally through being the hacker’s unwilling or unknowing cash converter), it’s commonly an equally recoverable situation.

If, however, the leak contains copies of bank statements, a social security number, home address, and/or mother’s maiden name, then the breach can be much more significant. It can lead to massive identity theft – devastating for those customers hit in the aftermath of the breach. As a result, the regulators, governments and class action lawsuits that follow frequently seek proportionate punitive damages against the company that suffered the breach. Which, unless it’s a Fortune 500 company, can be significant enough that the company goes into voluntary administration and ultimately getting shuttered for good not long after.