Security is one of those things that many people put aside when developing a new product since it’s one of those things that doesn’t get you any closer to launching and adds no face value for your end users. For many people it’s usually the last thing on their mind until they have an incident, and then afterwards it becomes the top priority (as we’ve seen with Sony recently). With the average data breach running a company something in the order of $7 million you can see why a lot of companies go belly up once they’ve been hit and that’s why I still find it frustrating when new start-ups and companies put security on the backburner. They’re really shooting themselves in the foot.
It’s not like basic security is that hard either. I’ve said in the past that SSL isn’t that hard and I stand by those comments, especially if you’re building something on any of the popular frameworks. SSL is just the beginning though as you can still fall prey to security problems like SQL injection and cross-site scripting attacks even if your site is using SSL for the more sensitive aspects. Again though since the vast majority of new web applications are built on some kind of framework most of this leg work is taken care of for you, as long as you make a token effort to implement them.
I think why I get so uppity about this is because some of the most secure institutions, like banks, fail to implement security on the same level that others, say game developers, manage to do quite well and surprisingly cheaply. The best example of this would have to be Blizzard who implemented their authenticator program to combat the constant problem of accounts being hacked. Compare this to the 3 or 4 banks I’ve had dealings with over the past couple years, none of which have offered me such a service, and you can begin to understand why I’m a little annoyed that my World of Warcraft character’s epics are more secure than the cash I use to pay for them.
It’s not all bad news however as the era of the smart phone has made it possible to replicate two factor authentication quite cheaply. Both Google and Facebook have now made it possible to login to their services using two factor authentication via an application on your smart phone. Whilst I’m sure the vast majority of people will not bother (until after something bad happens of course) it still shows that they’re at least thinking in the right direction, unlike many other services which just don’t bother.
What really surprises me is that how this isn’t a commodity service yet. The idea behind two factor authentication is simple, you have to know something (your password) and have something (your smartphone) in order to gain access to the system with the specified user account. Realistically the password problem is already solved and the second factor is really just a simple random number generator that’s seeded by a particular value that both you and the server know. Couple that with decent time synching (easily done on any phone with GPS) and your well on your way to better security. Sure there’s a bit more too it than that but since I’ve been considering doing this as a weekend project ever since I thought of it should give you a clue to just how easy it is to put decent security in an online service.
I’m hardly an expert at this whole security stuff, hell I bet if you hacked away at any of my projects for 10 minutes you’d find some awesome exploit, but even in this day and age of malware/crimeware/scamware I find it surprising just how lax some people can be we it comes to rudimentary security measures. You’re never going to be able to stop the most determined of intruders but it’s the casual hacker tourists that you want to keep out. Realistically you only need to be more secure than the next guy they have a go at and judging by the terrible level of security present online these days that’s not going to be too hard. So you developers of online web services you have no excuses for not at least attempting to put security into your product and should I catch you sending my login details in clear text over the Internet you can be sure I’ll be the first in line to blast you for making such mistakes.
Yeah that’s right, I’m going to blog about you and there’s nothing you can do about it… TAKE IT!