Businesses such as Worthwhile are in a constant battle known as security. This battle is taken up in multiple fronts: physical, interactive, and technological. Physical security is pretty straight-forward. We put locks on our doors, we password-protect our computers and email, and we maintain regular backups of important data (usually multiple copies in more than one physical location).
Interactive security is a term I just made up on the spot, but it describes a process that we’ve had in place at Worthwhile for some time. I’m referring to our process of verifying that someone is who they say they are. For example, if a customer calls us and requests that we make some change to their account (reset an email or FTP password, add a new domain, change a DNS record), we go through a process to verify that this voice on the other end of the phone is authorized to request these changes. Like physical security, this is also fairly straight-forward, as we can clearly define a set of guidelines to help us make the right decision.
But here comes the kicker: technological security (Dan Wooster would call this “securing our bits” 
). Unlike both physical and interactive security which must only occasionally be adjusted, technological security is a constantly changing beast. Like any other company, Worthwhile takes a layered approach to technological security. We have firewalls, spam filters, and VPNs, and so on. No one product can protect everything. In addition, like many companies, Worthwhile relies on countless lines of third-party code. We use popular content management systems such as Joomla and WordPress, as well as third-party and custom plug-ins to provide specific functionality. All of these products contain known and unknown bugs. So, what can one do to deal with this situation? Here’s a few things that I consider to be essential:
1. Search for know vulnerabilities. I recently found secwatch.org which allows you to search several vulnerability databases at once. This search will help you answer the question: “is this code known to be insecure?” If so, it may be worth looking elsewhere for that functionality.
2. Personally perform a code review. Don’t simply download and install some WordPress plug-in that says it adds the best functionality since RSS feeds; review the code yourself to make sure that the developer took reasonable steps to protect his code from being exploited.
3. Contract with a security professional to perform a penetration test. We recently went through this process to test the security of our network infrastructure. The analyst we contracted with wasn’t able to enter our network, but he did make some recommendations to our on-going security efforts.
I remember 5 or 6 years ago, there was a statistic that an unfirewalled Windows machine connected to the Internet could only last 30–60 seconds without being infected with some virus/worm/trojan. Luckily for us all, Microsoft has since been taking a more active role in helping to protect Windows users. However, as the maintainer of a complex network of different architectures and applications, I must take additional steps to ensure security in all forms.
