Security is Next to Godliness

May 1, 2010

I’ve been trying to write more about Web development security lately, in part because I’m going to be writing an “E-Commerce with PHP and MySQL” book this summer, so security is at the top of my mind. [intlink id=”1009″ type=”post”]In a previous post[/intlink], I made some suggestions as to how one develops and tests a site from a security perspective. Here I want to cover security as a general philosophy, so you understand that approach I take (and, therefore, the approach I would recommend you take). When I explain things, I think in terms of analogies. I’m pretty sure they don’t always work or help, but still, it’s what I do. And the analogy I have for Web site (or application) security is: Security is Next to Godliness. Which is to say, think of security the way you might think about cleanliness.Say you go to eat at a restaurant…the restaurant may or may not look clean and it may or may not be clean. But if the restaurant doesn’t look clean, then it probably isn’t actually clean and you don’t want to eat there. The same goes for a Web site’s security: if it doesn’t give the appearance of being secure, it probably isn’t secure, and users won’t want to use the site (or shouldn’t). A Web site can look secure by looking professional, giving proper error messages, and by not looking obviously unsecure. This last quality is really the most important, as the common person may not really know the difference between a secure looking and unsecure looking site. But if they go to a site and get alerts from their browser due to a lack of a good certificate, or whatever, that’s like seeing a rodent go across the restaurant floor.

The second part of this analogy is that while it’s important for a restaurant to look clean (so people will eat there), it’s more important that it’s actually clean (so that diner’s don’t get sick, so that the inspector doesn’t shut you down, etc.). And so your Web site must actually be secure, so that nothing bad can happen to the users, your clients, the Easter bunny, and so forth.

The final reason I think this analogy works is that like security, like cleanliness, isn’t an absolute and the amount of effort you put into it should depend upon the situation. Your front porch doesn’t need to be that clean, but your bathrooms and kitchens sure do. And maybe you’re the kind of person that would thoroughly clean monthly, weekly, or daily. Maybe you’re the kind that will take cleaning to the disinfecting level. There’s no right answer in these situations: there’s better and there’s worse and there’s what’s right for you and your situation. The same goes for security. A site that handles no money has one level of security requirements; a site that performs online banking has a totally different level. Most importantly, just because you cleaned today, doesn’t mean your place will stay clean forever. And the Web site or application you ship today without any issues could become vulnerable tomorrow (most likely because of a found concern with underlying software or third-party applications).

So there’s my simple, yet overly-described, analogy for Web site or application security. Hopefully it’ll help you in the way you think about your Web site (or the next meal out!).