Information security is a hot topic nowadays.
As a web programmer, I am responsible for making sure the web applications are as secure as it can be. When I work with other web developers, I noticed that there are still people out there who aren’t aware of the stakes involved with IT security. To them, IT security is just a bunch of items that they need to cross off of a list. They don’t realize, or even care, about the purpose behind securing the information their application stores, or even fully appreciate the value of the data.
The fact is that when we secure user data, we’re not just protecting some proprietary information that sits on our server, but we are also protecting our users from being exploited outside of our site.
More and more, people’s lives are moving to the web. Our shopping habits, bank accounts, medical histories, etc., are all available over the internet. For the most part, this is not information that most of us would like to share.
Now of course this information is not just floating out there for anyone to grab (at least in most circumstances). It’s usually layered with various security measures to make sure only authorized people can see the sensitive data.
But what if someone breaks through the security measures?
Let’s say we have a website that’s a social network for people’s pets. All the site holds regarding its users is basic user information such as emails and passwords. If the site itself is compromised, some proprietary information may be exposed. On first glance, you might dismiss the breach; after all, it’s just a bunch of information on people’s pets, so no big deal right?
But what about the email and password information? Recent studies has shown a large online population uses the same passwords across their website accounts (as high as 75% in one study). So if someone hacked into our website and got the emails and password, they have potentially gotten access to a goldmine of information across various websites.
Let’s think about the kind of information we have in our email inboxes for a minute: personal correspondences, bank statements, credit card statments, etc. Through these emails, the intruder may be able to get access to various financial information because the victim is probably using the same password. Even if the victim is doing the right thing by using a stronger password, with access to his or her email account, the intruder can do a lost password recovery that is available on just about every financial institution website.
As you can see, the severity of compromised security can escalate from a small breach on one website to people’s finances being in danger. This has already happened: one very notable acccount in early 2011 involved the breach of a technology security company, HBGary. It started from their public website, containing nothing sensitive other than passwords, being hacked. From here, the hackers were able to get to the email accounts of HBGary’s CEO and COO, and released proprietary and sensitive documents, causing significant public relations damage.
The scariest part about all this is that we can do our job right all the time, but all it takes is a breach elsewhere — a weak password on another insecure site — and the dominoes will fall. However, this does not mean that we, as web developers, should not try.
As a matter of fact, we should try harder, and it shouldn’t matter what kind of sites we have, even if it is a simple pet social network. We can make sure that even if someone’s information has been compromised, we can limit the damage on our end (e.g. not keeping any unnecessary sensitive information on our sites, using more than just emails for password retrieval, etc). Because it’s not just our pride and our work at risk here, it’s other people’s online lives.