Today we’re going to talk about security, so hold tight and be extremely focused…
Nah :) We’re not going to write another boring article bloated with stuff nobody understands. Instead, we’re going to explain how we manage security from development point of view. It is worth mentioning that we are by no means “security experts”, but we follow some best practices, learn from mistakes and we surely understand security measures and why are they important.
Security is one of the hot topics these days and it has its reasoning behind it — there are a lot of security breaches lately as we live in the era of information, and data has become an invaluable asset. So naturally the demand for it is growing, so is the seeking of ways to obtain it — through legal or illegal activities.
We (Evermore) are a relatively small web development company and we cover most of the best practices when dealing with code or with server setups. Protecting both your code and your server is mandatory in order for your product to be at least hard to breach. These days nobody can claim that his digital assets are 100% secure, but taking precautions and following the best practices is essential.
Enough empty talking. Straight to the point now.
How to protect your server? In most cases we prefer to use PaaS solutions to host applications as those platforms come with a dedicated team taking care of servers and security. This is the preferrable option, unless you are a special case or possess very sensitive data.
Let’s imagine you want your own server. Here are some tips of what you should watch for:
- Love the Penguin — choose your OS wisely (Linux!), one that is well maintained. Ubuntu Linux is a good choice as it is widely used and maintained. And you know
- Always update everything! Do regular updates or enable automatic security updates (Ubuntu supports this). This is an essential practice as software flaws are being found almost every day. Un-patched systems are open to known exploits and all of them come with a manual how to use. Same applies for code that uses third party dependencies.
- Backups, backups! Just do them. Backups are generally copies of all the important parts of your system. One day, after a storm, you will wake up with a smile on your face :)
- Forget the root — always use regular user accounts to operate. Even after a security breach, the attacker will end up with a user with fewer privileges, which can save your system.
- Use SSH — not with passwords but with public keys. Passwords can be brute forced especially if they are not that strong.
- Do your homework — do not trust default configurations, ever! Most of the services are generally installed with automated scripts, and they come with default configuration, which sometimes is not fully secure. One good example is the default configuration that was in the older versions of MongoDB (a NoSQL database). By default MongoDB did not use any kind of authentication, and once installed it started listening on all network interfaces for connections, which would automatically open it up for the general public. At Evermore we’ve handled a similiar case in the past, on a server that we inherited from someone else with no backups in place! Somebody deleted the whole database claiming of having a copy and trying to get a bribe for it, but actually no copies were made before the deletion, so this was a pure scam. Fortunately we managed to recover most of the data using older database copies done by hand not too long ago. So again, backups can save your day!
There are tons of other security enhancements like properly setting up your web servers, further security through firewalls, use of VPN to access the most sensitive data, adding encryptions (including such on a hard drive partition level), user jails and so on.
Unfortunately we can’t cover them all in a single post, but if you’re interested, drop us a line here and we would love to share our experience on this topic with you.