Due to the nature of my business I speak to many people in various industries and something is becoming more and more clear as time goes by – website and web application developers are reluctant to have the security of their work scrutinised.
I understand their dilemma – if they have their solutions security tested it will add to their costs and increase the price of their product. Or it may affect client beliefs that the products they deliver are already secure.
Then there is the hosting company who provide the hardware and infrastructure which allows websites to be accessed – some of the security issues may lie there, so why would the site developer worry about security?
Indeed, I had a conversation recently with a website development company who didn't want their product security tested because to do so may imply that they aren't building things properly in the first place. They went on to point out that if the client discovers a security issue in the application later, they can charge them again for fixing it!
The other problem is one of accountability. In the recent attacks against Sony, Sega and others it is the company or organization attacked that gets the bad press and the flak, not the company they got in to develop the website or application.
This means the website developers get off virtually scot-free with the probable loss of just that piece of work or client. On the other hand, the client may end up having to deal with potentially crippling clean-up costs, compensation claims and reputational damage.
So how do we change this? What should companies and organizations do to ensure the work done for them is of a high enough standard?
Well here are a number of suggestions:
1. Ask your website developer about the security measures they build in to your solution. If they're vague or evasive find another supplier. Have whatever response you get evaluated by an expert.
2. Ask them up-front if they have the site independently security tested or whether they are happy for you to do so once the solution is complete but before you pay for it.
3. Ask them to guarantee the site's security, or at least provide fixes for free should security vulnerabilities be identified later. Make sure this is in the contract.
4. If they do security test the solution, find out if it is truly independent and whether the site will receive any accreditation in the form a security seal or other certificate.
At the end of the day, if you employ a website developer to create your website it's still your data, reputation and profit that's at risk if your site's security isn't up to scratch. Is that a risk you're willing to take?