This article looks like it will be technical, but it won’t be. If you are a founder or investor in web-based software, and especially if you are using an outsourced development team, this two-minute security check is for you!
I want to show you two dead-simple online tests that will give you a bit of insight into the security configuration of your website. Then I want to talk about how you can use these tests' results to communicate with your software development and operations teams more effectively. I want to teach you about these simple-to-use tools and show you how I use them to achieve better outcomes from outsourced software development teams.
Online Web Server Security Tests
The two tests I want to show you check the configuration of your website or web-application. In this case, we are using one tool to check the web server HTTP response headers and another tool to validate the cryptography certificates and best practices for encrypted connections to users of your website. That sounds technical and heady, but stick with me, this is easy.
I want to avoid getting technical, so I’m not going to go into depth about what these tests are looking for or even what the exact results mean. Both of these tests return a grade and a color. A green “A+” means everything passed and looks good. A red “F” means the website failed the test. Grades such as B, C, and D effectively show incrementally decreasing attention to security configuration details. Both tests also provide useful technical information that you can hand over to your development and operations teams.
So let’s say that you get a terrible score. What should you do? First, don’t panic. These tests aim a microscope on web server configuration best practices with a very high standard. Your website is likely reasonably secure, even if you have low scores on these tests. That said, you can do better, and it is often not hard to make a few changes that will bring the scores up to an “A.” One of the reasons that I find these tests so useful is that they are “spit and polish” level tests. In other words, if your team is skilled enough to ace these tests, they are likely doing other things right as well. Unfortunately, the inverse is also true, and failing these tests means you could benefit from a more rigorous security analysis. Contact me if you want help with this process.
Before my security expert friends call me out, let me make sure I say that just because you pass these two tests does NOT mean that your website is fully secure! A good analogy is using the dipstick to check the oil in your car. You might have a service station responsible for maintaining your vehicle, but you can still take two minutes now and then to open the hood and check the oil level and color. Low oil indicates that you need additional service, but having the right amount of perfectly clean oil does not mean that your entire vehicle is in perfect health! The oil test doesn’t know anything about your low tire pressure. Likewise, these security tests are useful, but don’t let them lead you to a false sense of security, or convince you that your website is wholly insecure.
Operations Team vs. Development Team
The tools we are using identify issues associated with your hosting infrastructure, and possibly with how your development team has configured your application to run in the production environment. If you get low scores, you should start by talking to the person, group, or company responsible for configuring your website’s hosting infrastructure. Setting up the SSL certificates and web server configuration often falls into the gray area between the work done by developers and operations teams. Fixing these issues may force them to collaborate, which they need to learn to do anyway! (Many of the most sophisticated software companies are beginning to blend the functions of Development and Operations creating a new approach and mindset which is called “DevOps”)
The vast majority of outsourced software development companies are great at creating software but are not specialists in configuring and running the software’s hosting environment. The hosting environment is the servers or containers that run your application, typically at cloud service providers such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, or Digital Ocean. I often advise my clients to hire a company specializing in managing cloud hosting infrastructure and operations. This operations team is in addition to your outsourced software development team. If you already have an operations team, talk to them about any low scores on these tests and ask them to explain why the score is low. (And then ask them to fix it!)
As I mentioned, there is a good chance that your software developers and your operations people will need to work together to solve these issues. Developers often don’t know much about setting up production hosting infrastructure, and operations people are usually not comfortable creating complex software. Collaboration is required to fix issues that fall into the gray area between these roles.
Regardless of your team’s size, share the tests with them, and have them identify and fix the problems. Don’t be surprised if they need to learn a few new things to bring their skills and awareness of these modern security standards up to date.
Communicating with Outsourced Development Teams
Providing clear, metric-based communications to your outsourced technical team is essential. I like to use tests to communicate security issues and to provide an easy way to validate remediation for the identified problems. In this case, expectations are pretty straightforward—you need to see a green “A.”