Open-Source Security for Digital Marketers

Shikhar Negi | Updated 27 Jan 2022 | 4 min read

As a marketer, the primary task at hand is to undertake initiatives that increase the revenues of the organization. This involves a heavy dependency on digital technology, which if properly utilized can lead to huge gains. Unfortunately, even criminal elements are able to tap into the growing volume of data and transactions on the web, leading to an environment that is tricky to navigate through for continued business growth.

A report from the Centre for Strategic & International Studies(CSIS) estimates that.The need of the hour is thus, to save this amount, as the damages inflicted are increasing day by day. The most publicized example of this was US retailer Target's $18.5 million customer data breach [2]. Curiously enough, attacks such as this one and others as well, do not require a lot of strategies. Data is simply taken from a place and moved around. This doesn’t have to happen, especially when a plethora of preemptive measures abound now. Security could have prevented it by having a notification system that would have alerted when terabytes of data started leaving the servers.

Security-First Culture

It is thus imperative to build a culture of security at your business to prevent events like these. Culture is not built in one day but is rather a result of a continuous development approach. To build a truly Security-first culture means going beyond compliance to assess risks. It is not about waiting for the end of a project to assess, rather taking security seriously from the very beginning. As an agile process, everyone involved must be part of improving, watching out and then automating. Some things that need to be considered are:

Proactive collaborative approach
There are stakeholders apart from your team as well., both internal and external. They know their regulatory needs, so getting them actively involved is a good idea
Layered defense
Apart from your Drupal site, all round protection is required as well. This means everything including the hosting environment, CDN, firewalls, and others in the development process.
Architecture reviews
The overall information architecture should be subject to constant reviews for ensuring there is no data leakage from informational flows.
Code reviews
Similarly, code reviews are also needed to prevent substandard code from getting inside. This may pose a risk to the software development lifecycle.
Automated testing
Manual regression may not be efficient every time but if automated, critical functioning can trigger the testing process which can prevent damages.
Continuous improvements
This is necessary to make sure that changes made to code are auto deployed to test environment/final environment and enhance optimization.
Security audits
These can be basic or thorough, and the right tools can take care of any issues during the deployment stage
Documentation
Need not be overly verbose but rather in a way that is impactful and meaningful for the team to be able to want to read it

The next step is to create a Security team, that should be charged with updating policies, making recommendations, sessing security releases for mitigations, and helping automate security processes.

Security Team

Anything from actual security professionals, to developers, can be onboarded to make policies, recommendations, assessing systems, applications, websites, and helping to automate things in general.

Drupal Security Team can be your point of reference. They are a very helpful bunch who are more engaging than some of the others in larger open source communities. Some of the items they cover and watch out for are :

Resolve reported security issues in Security Advisories
Provide assistance or contributed module maintainers in resolving security issues
Provide documentation on how to write secure code
Provide documentation on securing your site
Help infrastructure to keep Drupal.org secure

Once you have these covered, you are on your journey to create secure and efficient platforms for your business. Further on you will need

Security Policy Checklist

Creating a policy helps elevate priority among your team. There is no single solution that does it all, as security is a multilayered thing. Some of its essential components are:

Code linting

This is a part of a continuous integration process. It is important to have readable code from a development standpoint. What it does is that it makes it hard to not let something slip into the process that could be rough, when it comes to having a security vulnerability.

Virus malware Scanning

Quite doable from a policy standpoint via computers, servers, and even drupal sites. It sets up scanning for file uploads, so if somebody uploads a file it's good to have virus malware scanning, to prevent even unintentional risks from being passed onto your server.

Code Library Version Checks

Checking for code library version checks could be modules in Drupal or plug-ins in WordPress. There are also PHP libraries, Javascript libraries, etc. Hence, making sure to check for versions that need updates is very important.

Passive and Active Scanning

One often hears about security scans and the number of commercial tools out there. An active one might check for some vulnerabilities like different forms of injection, or cross-site scripting. Those are checks that look for signals instead of vulnerabilities for actual issues, which is more effective.

Application Infrastructure Updates

Not just the Drupal application but infrastructure should also be properly updated. Partnering with a hosting company that takes care of that is great. If you host your own, updating is a must for open source.

Incident Response Plan

This is one of the processes, which has a form tied to this. For when something does happen, you don't want to wait to respond, and for that, it's essential to have a plan to see who to call, how to document, who to notify. This gets into internal policies but also relates to regulatory requirements.

This 3-factor security approach is key for ensuring that your business keeps up with the rising challenges of cybersecurity. Which one does your organization find the most relevant?