Skip to main content
Open-Source Security for Digital Marketers
https://www.zyxware.com/sites/default/files/styles/user_image/public/default_images/index.png?itok=dkp9qUXZ
BY Shikhar Negi
1 month ago
-Digital-Marketing

As a marketer, the primary task at hand is to undertake initiatives that increase the revenues of the organization. This involves a heavy dependency on digital technology, which if properly utilized can lead to huge gains. Unfortunately, even criminal elements are able to tap into the growing volume of data and transactions on the web, leading to an environment that is tricky to navigate through for continued business growth.

A report from the Centre for Strategic & International Studies (CSIS) estimates that cybercrimes cost businesses $ 1 trillion worldwide in 2020 [1]. The need of the hour is thus, to save this amount, as the damages inflicted are increasing day by day. The most publicized example of this was US retailer Target's $18.5 million customer data breach [2]. Curiously enough, attacks such as this one and others as well, do not require a lot of strategies. Data is simply taken from a place and moved around. This doesn’t have to happen, especially when a plethora of preemptive measures abound now. Security could have prevented it by having a notification system that would have alerted when terabytes of data started leaving the servers. 

  1. Security-First Culture

It is thus imperative to build a culture of security at your business to prevent events like these. Culture is not built in one day but is rather a result of continuous development approach. To build a truly Security-first culture, means going beyond compliance to assess risks. It is not about waiting for the end of a project to assess, rather taking security seriously from the very beginning. As an agile process, everyone involved must be  part of improving, watching out, and then automating. Some things that need to be considered are:

  • Proactive & collaborative approach
    There are stakeholders apart from your team as well., both internal and external. They know their regulatory needs, so getting them actively involved is a good idea.
  • Layered defense
    Apart from your Drupal site, all round protection is required as well. This means everything including the hosting environment, CDN, firewalls, and others in the development process. 
  • Architecture reviews
    The overall information architecture should be subject to constant reviews for ensuring there is no data leakage from informational flows.
  • Code reviews
    Similarly, code reviews are also needed to prevent substandard code from getting inside. This may pose a risk to the software development lifecycle.
  • Automated testing
    Manual regression may not be efficient every time but if automated, critical functioning can trigger the testing process which can prevent damages.
  • Continuous improvements
    This is necessary to make sure that changes made to code are auto deployed to test environment/final environment and enhance optimization.
  • Security audits
    These can be basic or thorough, and the right tools can take care of any issues during the deployment stage
  • Documentation
    Need not be overly verbose but rather in a way that is impactful and meaningful for the team to be able to want to read it

The next step is to create a Security team, that should be charged with updating policies, making recommendations, sessing security releases for mitigations, and helping automate security processes. 

  1. Security Team

Anything from actual security professionals, to developers, can be onboarded to make policies, recommendations, assessing systems, applications, websites, and helping to automate things in general. 

While you build your own, the Drupal Security Team can be your point of reference. They are a very helpful bunch who are more engaging than some of the others in larger open source communities. Some of the items they cover and watch out for are :

  • Resolve reported security issues in Security Advisories
  • Provide assistance or contributed module maintainers in resolving security issues
  • Provide documentation on how to write secure code
  • Provide documentation on securing your site
  • Help infrastructure to keep Drupal.org secure

Once you have these covered, you are on your journey to create secure and efficient platforms for your business. Further on you will need a;

  1. Security Policy Checklist

Creating a policy helps elevate priority among your team. There is not single solution that does it all, as security is a multilayered thing. Some of its essential components are:

  • Code linting 

This is a part of a continuous integration process. It is important to have readable code from a development standpoint. What it does is that it makes it hard to not let something slip into the process that could be rough, when it comes to having a security vulnerability. 

  • Virus & malware scanning 

Quite doable from a policy standpoint via computers, servers, and even drupal sites. It sets up scanning for file uploads, so if somebody uploads a file it's good to have virus malware scanning, to prevent even unintentional risks from being passed onto your server. 

  • Code library & version checks

Checking for code library version checks could be modules in Drupal, or plug-ins in WordPress. There are also PHP libraries, Javascript libraries, etc. Hence, making sure to check for versions that need updates is very important.        

  • Passive and active scanning 

One often hears about security scans and the number of commercial tools out there. An active one might check for some vulnerabilities like different forms of injection, or cross-site scripting. Those are checks that look for signals instead of vulnerabilities for actual issues, which is more effective.

  • Application & infrastructure updates

Not just the Drupal application but infrastructure should also be properly updated. Partnering with a hosting company that takes care of that is great. If you host your own, updating is a must for open source. 

  • Incident response plan
    This is one of the processes, which has a form tied to this. For when something does happen, you don't want to wait to respond, and for that, it's essential to have a plan to see who to call, how to document, who to notify. This gets into internal policies but also relates to regulatory requirements. 

This 3-factor security approach is key for ensuring that your business keeps up with the rising challenges of cybersecurity. Which one does your organization find the most relevant?

 

[1] https://www.csis.org/analysis/hidden-costs-cybercrime

[2] https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031


RELATED ARTICLES

RELATED ARTICLES