Thoughts On Security

Security is in a constant evolving state and keeping up with the various changes can be heard. As my journey continues in the security industry, I will share thoughts and opinions based on personal experiences. Thoughts are mostly around website security, sprinkled with general security concepts as well, but all tailored to the everyday enduser.

Two Critical Challenges Facing Website Security

Published in Security on September 25, 2015

Spent the better part of the past week in Albuquerque, New Mexico at the National Association of Government Web Professionals (NAGW) conference. A conference designed to bring together web professionals from federal / state / local municipalities in an effort to help organize, educate and otherwise collaborate. It was a great event in helping to understand how municipalities work, but it also helped to reaffirm some of my thoughts around the challenges facing website security across all industries.

Regardless of industry, there are common points shared by each that are overly familiar when speaking to website security:

Lack of ownership
Lack of understanding and knowledge
Lack of appreciation for impact

Website Security Challenges Defined

Interestingly enough, the greatest challenges the website security industry faces has little to do with the technology, evolution in attacks, hosting environments, development habits, open source, or anything in between. No, the challenges are more at the core of the mindset of the web, not just amongst the web users, but those that are deploying and managing these environments.

It revolves around two very simple, yet overly complex points, for me:

Education and Awareness.
Webmasters, or the lack there of.

VPS vs Shared Hosting – Which is more secure?

Published in Security on August 19, 2015

The world of hosting is complex, it’s further complicated when you throw security into the mix. A few months back I wrote an article on the delicate line between where the hosts security responsibility begins, and where yours, as the website owner, is required. That however did not address one key question – Which hosting environment is more secure? This is one of the most common questions I get asked.

The response, as you might imagine, is not as simple as the question itself. This question is often confused with misinformation and bias and the responses are often grossly inaccurate. I will spend some time thinking through the various points, applying insight where possible, in the hopes of helping you making a more informed decision on the type of hosting environments, and which ones make the most sense for you.

HTTPS Does Not Secure Your Website

Published in Security on July 7, 2015

Ever since Google made their announcement that they were exploring the idea of using HTTPS as a Ranking Signal for your SEO, the web has gone nuts for HTTPS. For a number of security professionals it’s generated groans and a heightened level of annoyance and consternation at what has become an over abundance of irrational thought, perspective and improper guidance and insight.

To be clear, I’m not against HTTPS. I believe it’s a critical technology that should be employed when needed, but what I dislike greatly is when it’s used in the context of securing your website.

What is HTTPS?

5 Tips to Improve the Security of your Business

Published in Security on June 23, 2015

I don’t know about you, but as a business owner that offers a service to clients in which they instill their trust in us, there is nothing that worries me more than the idea of getting hacked. Enough so that it keeps me up most nights, but it’s likely amplified being it’s a security company.

I know what they say – it’s inevitable and you must be prepared to account for it. While I realize it’s reality, I can’t help but think there are things that we should all be doing as business owners to help minimize the potential of such a hack.

While I often speak to website security, today I want to spend some time talking about things that we can each be doing to improve the security posture for our businesses.

Impacts of the LastPass Hack

Published in Security on June 16, 2015

This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.

Yes – LastPass was Compromised

The impacts however are not as severe, all things considered, as it might appear at face value.

YoastCon: The State Of WordPress Security

Published in Security on June 9, 2015

Almost five years ago, Joost started the company Yoast, offering website reviews and free plugins. Yoast’s core business was, and is, sharing knowledge and making it easier to create usable websites. Five years later Yoast has turned into one of the biggest WordPress plugin providers with 21 employees (and counting)!

To celebrate reaching five years, awesome growth, and much success, Yoast celebrated with a conference: YoastCon!

The conference was held in de Lindenberg in Nijmegen, with myself, Chris Lema, Marcus Tandler, Karl Gilis, and Joost de Valk speaking, and Marieke van de Rakt, Thijs de Valk, and Taco Verdonschot giving workshops.

The State of WordPress Security

My talk was on the current state of WordPress security. There is no denying that WordPress, powering over 23.5% of the top websites in the world, has become the platform of choice for bloggers and businesses alike.

With this fame however, WordPress has become a target, making it the top targeted platform on the web by malicious actors with ill intent.

The Dynamic and Complicated Online Threats

Published in Security on June 1, 2015

This May I was thrilled to travel to Prague, Czech Republic as a keynote speaker for J And Beyond 2015, An International Joomla Conference to deliver the talk The Dynamic and Complicated Online Threats (Challenges Website Owners Face). I was also thrilled to have my company, Sucuri, sponsor the event.

After investing the better part of five years analyzing and assessing the state of security within the realm of websites, I travel the world engaging website owners in an effort to address the security challenges webmasters face today through education and awareness. The website landscape continues to evolve, affecting website owners around the world. We have to take a minute to look at the website landscape, appreciate the nuances that the end-users are struggling with and look forward at what the future holds for us.

The purpose of the talk is a high level orientation of the existing threat landscape affecting all website-owners, especially those leveraging CMS applications like Joomla!

Check out the video of my presentation below:

Website Access Control and Security

Published in Security on January 23, 2015

Website security has become a hot bed over the past few years. More and more companies are joining the game in hopes of capitalizing on what they perceive to be huge opportunities. The one vector that seems to be all the rave is Access Control.

When I talk to access control, I specifically talk to mechanisms in place to restrict access to a resource. Think how you connect to your website. Are you using WordPress, Joomla, Magento or some vBulletin? Maybe it’s a custom PHP, HTML, ASP website?

Regardless of the platform, you have some form of access vector you employ daily.

If you’re a WordPress user, you’re likely leveraging /wp-admin. If you’re on Joomla, you’re using /administrator, and so on and so on — each platform providing its own means for connection. Access vectors don’t stop there. They extend well beyond the application itself. Think about things like File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). These are transfer protocols that are still part of your website access vectors.

This can be extended further when you think about things like your hosting panels and database log in panels, additional forms of access vectors. But now we start diving into a very deep rabbit hole.

Updating Permalinks in Ghost

Published in Security on December 8, 2014

When I think about blogging, there is perhaps no more important feature or concern than impacts to SEO. It’s perhaps one of the biggest concerns many will likely experience when performing a migration to the Ghost blogging platform.

I recently migrated my personal blogs to this platform and share some insights into the installation process in case you want to give it a go.

As you might expect, it’s had it’s up’s and down’s, much like when I first got started with WordPress. Needless to say, I’ve been making my way through it over the past few days. I’ve learned a number of things, and one such thing pertains to permalinks.

Install Ghost .5 on CentOS 7 w/NGINX

Published in Security on December 6, 2014

I recently wrote of the migration from WordPress to Ghost. In this post I want to share with you the installation workflow I used. I plan to go cradle to grave through the process.

I’ve tested it a number times, and it works every time, so even if you’re a novice you should be able to get it going. Just follow the steps:

Assumption: You have a clean install of Centos 7.0. For my scenario I’m using a droplet from Digital Ocean. What’s really awesome is that Digital Ocean actually provides a preconfigured Droplet for those that want to leverage Ghost. I believe it’s built on Ubuntu. I personally prefer Centos.

Ghost: Blogging For The Future

Published in Security on December 5, 2014

It’s only been recently that I have come to the realization that I fit into the blogger category. In doing so, I have started to place more emphasis on the technologies I’m employing to get my work done.

Ghost: Just a Blogging Platform

For the better part of 5 years I have been an adamant WordPress user. Not sure if you would say I was a power user, but I definitely employed it in my day to day activities, whether at work or at home. In that time frame I have witnessed the evolution of the platform.

Website Security and Auto-Updates

Published in Security on November 27, 2014

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

Does little against Unknowns
Introduces an unmanageable access point
Goes against best practices
Requires applications to write to itself

How Hosts Manage Your Website Security

Published in Security on November 7, 2014

Hosts are concerned with the security of their infrastructure, not with your website.

This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.

I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.

Website Security is about Passwords?

Published in Security on October 30, 2014

Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.

To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.

It All Lies Within the World of Passwords

Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).

How We Think About Website Security

Published in Security on October 30, 2014

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.

WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

WordCamp Central

As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.

WordCamp Europe 2014: WordPress Security Starts With Posture

Published in Security on October 16, 2014

Recently I spoke at WordCamp Europe 2014 on the topic WordPress Security — It Starts With Posture. The threats website owners face today range in scale and complexity — from large DDOS attacks leveraging WordPress core functionality, to vulnerabilities found in some of the largest plugins in the ecosystem.

The Security dilemma is not shrinking, it’s getting bigger.

Today more than ever, it’s important we take the time to educate and bring awareness to the things everyday website owners can do to improve their over security posture.

Web security is not a turn of a knob, or click of an option, it’s about state of mind — it’s about good posture.

Check out the video of my presentation:

Watch The Video

Accounting for Security in Website Projects

Published in Security on October 5, 2014

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design / development shop called CubicTwo in early 2010.

The scale of the projects and programs I was involved in ranged from $50,000 to over $6,000,000 (multiple at any given time) and varied in complexity (these weren’t simple websites, they were enterprise level systems). While different in size and scale, they did hold similarities to what most website projects today look like, just at a very different level. I fortunately had the luxury that my stakeholders didn’t require any education on the importance of security, being they were municipalities or government entities, the security discussion was a lot easier.

This however is not the case for everyday website projects, and worth taking some time to discuss.

What’s wrong with your pa$$w0rd?

Published in Security on September 5, 2014

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie Faith Cranor is doing on the subject very interesting and insightful.

Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s

Published in Security on August 17, 2014

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

The Dilemma that is WordPress Security

Published in Security on August 9, 2014

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions around WordPress security should change, and that sparked some interesting conversations.

He’s absolutely right, it should.

What many fail to realize within the community however is that the crux of the problem goes beyond Access Control and Software Vulnerabilities. The problem is the end-user, the website owner, the grandma turned website owner, the full-time mommy turned SEO expert, and the message that is pushed from top down through the various niches / factions of clicks within the community.

The irony of it all is that it revolves around the concept that made WordPress so popular — it’s ease of use.