Security is hard. We all know that. But there are many low hanging fruits that you can do with a little bit of effort. A lot of people ignore even the low hanging ones. I am not an expert but I have a list that I try to follow at the very least:
- Don't store any sensitive data on your servers unless you absolutely need to. For example, do you really need to store the client's address ? May be not. Think about that. The less the data, the less the risk of exposure.
- Never trust user input. Always sanitize.
- Passwords. Please use a one way hash like bcrypt and be done with it. Don't implement your own and never ever do plain text.
- Offsite backups. Don't store backups on the same server.
- Learn how to harden your server like adding firewalls, basic security checks using things like iptables/fail2ban etc. Basically, try to keep the bad guys out as much as possible.
- Check what ports are open on the server. Again, this related to the previous point but don't expose any port that you don't need to. Remember the recent mongodb debacle. Check that things are only running on localhost and not exposed to outside world.
- Encourage your users to use secure passwords. Don't make up stupid rules like "must have a number". Instead, check if the password is secure enough and then let them save it.
- For ssh access to server, turn root access off. Create a specific user to handle things. Make ssh key based authentication only and not password based.
- Subscribe to tech forums where you can keep an eye on latest security vulnerabilities and act on them as needed. HN saves so much time for me to keep an eye on what is blowing up around the tech. world.
- Of course, use SSL everywhere. Letsencrypt makes it easy. Don't be too lazy. Just install the damn SSL.
- Be careful of "social engineering". Your system may be very secure but it just takes one badly trained customer service rep or email to hack into your system. If someone requests any client access, check their credentials of who they really are. Don't just respond to an email just because it seems to come from your client.
- Finally, take a chill pill and don't lose too much sleep. Every system is prone to security issues so as long as you are doing the important things, you should generally be ok unless you are specifically the target which usually is not the case.
- Don't store any sensitive data on your servers unless you absolutely need to. For example, do you really need to store the client's address ? May be not. Think about that. The less the data, the less the risk of exposure.
- Never trust user input. Always sanitize.
- Passwords. Please use a one way hash like bcrypt and be done with it. Don't implement your own and never ever do plain text.
- Offsite backups. Don't store backups on the same server.
- Learn how to harden your server like adding firewalls, basic security checks using things like iptables/fail2ban etc. Basically, try to keep the bad guys out as much as possible.
- Check what ports are open on the server. Again, this related to the previous point but don't expose any port that you don't need to. Remember the recent mongodb debacle. Check that things are only running on localhost and not exposed to outside world.
- Encourage your users to use secure passwords. Don't make up stupid rules like "must have a number". Instead, check if the password is secure enough and then let them save it.
- For ssh access to server, turn root access off. Create a specific user to handle things. Make ssh key based authentication only and not password based.
- Subscribe to tech forums where you can keep an eye on latest security vulnerabilities and act on them as needed. HN saves so much time for me to keep an eye on what is blowing up around the tech. world.
- Of course, use SSL everywhere. Letsencrypt makes it easy. Don't be too lazy. Just install the damn SSL.
- Be careful of "social engineering". Your system may be very secure but it just takes one badly trained customer service rep or email to hack into your system. If someone requests any client access, check their credentials of who they really are. Don't just respond to an email just because it seems to come from your client.
- Finally, take a chill pill and don't lose too much sleep. Every system is prone to security issues so as long as you are doing the important things, you should generally be ok unless you are specifically the target which usually is not the case.