A fellow Rodinhooder had an unpleasant experience dealing with web security a few days back. The confusion surrounding the event prompted me to write this post.
Link to the original post: Click Here
1. Hacking is Not What It Sounds Like
No, hacking does not always mean a 20-year-old bespectacled geek entering your server through the back-door of your server on his matrix-like laptop screen. Hacking is not the same as exploiting vulnerabilities. Let me explain:
A prominent educational institute publishes its exam results online. To check your result you need to enter your roll number and press enter. A person was able to extract the results of all the people who appeared for the exam, and posted it in a spreadsheet online. Is this hacking? No. He simply wrote a small computer program that used permutation and combination to fill in all the possible roll numbers, and save the results. Writing such a program isn’t difficult.
He didn’t hack into the system. He simply exploited a lame-ass vulnerability left behind by the incompetent developers. Using a simple captcha (‘enter the letters you see in the image’, remember?) could have prevented this outcome.
So, what is my point? More often that not, hacking means exploiting a simple vulnerability left behind by your web developer.
2. Do Not Use Custom-built Solutions
Do you really think that your custom-built content management or e-commerce solution, made by an an Indian IT company whose website looks like it was made in 1995 in a Word Document, is better than than the likes of WordPress and Shopify?
WordPress and Shopify are made by some of the best tech companies in the world. They have engineering talent you can’t find in the best and biggest tech companies of India. Some of their engineers get paid more than the turnover of the IT company you hired. These companies have deep pockets, and are using their best talent to make a product, and polish, and refine it year after year. Can your 6-months-start-to-finish custom made solution outdo them?
You: But these solutions don’t provide the flexibility and options I need
Me: In 9 out of 10 cases, they do. Your IT-service provider won’t tell you that because he knows that he can extort a lot more money out of you by making a stupid solution from a scratch, than implementing WordPress (which, by the way, takes 10 minutes). If you have the right people around you, they will tell you so. WordPress is used by companies like The New York Times, CNN, Forbes, eBay, and TechCrunch. They’re bigger than you.
A popular solution will handle 99% of the security issues for you. Now if you keep your username as admin and password as password, you really can’t blame your solution for that. That’s your 1% to work out.
Some of the best standard solutions:
- ECommerce: Shopify, Magento and WooCommerce
- CMS: WordPress and Joomla
- Support: Zendesk
- Social Network: Ning
- Forum: phpBB and vBulletin
3. Do It Yourself
If your code is of secondary importance to your business (e-com, online forum), and you are a non-technical person, you can hire developers (and work closely with them) to take care of this, while you focus on the core competence and your area of expertise.
If the code / technology is of primary importance (booking sites, blogs, web portals, social networks, web apps, mobile apps) you should do it yourself, and then build a team as things grow. If you don’t know how to code, learn it. If you think you don’t have the time to learn, you probably should have stuck with your job.
Three years back, I wanted to make an income tax efiling portal. I was from commerce stream, and had absolutely no knowledge of coding. Fortunately, I was 17 and didn’t have any money, so I couldn’t hire anyone. I taught myself coding, and in the first 3 months, I made a MVP with my rudimentary knowledge. Disappointed, I tore it down, and re-built it from a scratch, taking another 9 months. As I learnt more about web development, I wanted to again build it from a scratch, using superior technology. Fortunately, I didn’t. I moved on to a different project.
I can say with certainty that had I hired someone else to build the portal for me, the end product wouldn’t have turned out half as good as the last iteration of the portal I had made with no prior knowledge of coding.
These IT companies don’t understand your vision, even if they do understand the architecture of your project (which I seriously doubt, though). You can pay them to build your project, but you can’t pay them to love it.
4. If You Are Building it From a Scratch, Hire the Right People
You can’t make your website hack-proof, or error-proof. What you can do is achieve a higher level of assurance by working with the right set of people, and writing reliable and scalable code.
For a non-technical person, it can be very difficult to find developers who understand development. Good developers cost a fortune. There are freelancers out there who will work their arse off for $5 an hour, and then there are developers who know their shit and will charge over $300 an hour.
You: So, how to find the right company to handle your project?
Me: I have a few pointers on who to stay away from:
- Stay away from cheap and desperate freelancers
- Stay away from boutique IT companies
- Stay away from companies who use words like outsourcing, SEO, temporary staffing
- Stay away from companies with an ugly website (now that would probably rule out all Indian companies)
You: but who do I hire?
Me: I don’t know, really.
Sanjay Shenoy
Wonderful post Nishant,
You seem to have written it at the right moment at least for me. I have a client who has a news website for which he paid a hell lot of money cause the developers built it on custom CMS and I was like wth why didnt you build it on wordpress!?. And there is nothing great about the website also , it sucks actually. When I suggested her to migrate to WordPress he taught I am trying to make money from him. Sometimes,its so difficult to convince some people about these things.
Vijay Khubchandani
Apt and Precise.. Very good post..
Nitish Mehta
hi , nice view but still there is much that is needed to include CMS or framework doesn’t mean that your site cant be hacked , everyday there are some vulnerability that are been found at wp , joomla , magento ect , which we need to patch
the foremost thing is validation , jquery validation , sql validation html validation , server side , ect ,ect , this will show the strength of your website
you should buy a good server , simple terms have upgraded servers
and finally web security is not one time thing , this should be understand by website owner with importance of it. i have seen many ppl who doesn’t care and then after some days , months , their website gets attack , and then they blame hacker .
and let me tell you that there are many good IT Indian companies , just there are several bad ones .
Nitish Mehta
wp has its limitations , if you are building one portal it wont have high value if you built in cms , about e bay , ebay owns magneto , so has built on magneto
Sanjay Shenoy
I am not saying WP is safe. I amsaying why go for a custom built CMS when there is WordPress. I have seen sites being sold for millions which are built on WordPress trust me.
Darshan Bhambiru
Nice 🙂 Concise and to the Point, rest is just a learning curve.
However these points stick out like a Sore thumb, with reference to the inspirational post you pointed to, that seems to have been a case of a Deal gone Wrong on Payment terms without any Formal Documentation, and maybe a few other factors known to the participants better, (This is how almost all Startups, especially the ones who do not have Technical knowledge start up and later learn and improve) Now That’s another story.
Great to know you as a Technical person who understand Finance too who was learning code at night & pursuing CA 🙂 This comes out like a First Hand Experience of a freelancer, now looking to setup a Boutique company and making it BIG in the future.
Ethical hacking, has its Rightful place in the System as well and there is an Increasing Industry just thriving on this, A lot of Techno Consultants who now have a Knowledge pool and are trying to Nurture the upcoming Generation Future engineers with this Information would know the BASICS where the latest entrants would never even know those parts to start with. There would always be Some who are Rotten Apples, but that gives the Demand for the White “hat”ers. The race is still on.
As, you ended it correctly 🙂
but who do I hire?
Me: I don’t know, really.
If you don’t Fit In, You are Probably Doing the Right thing!!!
It is all a Question of Trust and Trial, what suits becomes the Norm.
Nishant Agrawal
Nobody said WordPress can’t be hacked. It’s just helluva lot more secure than your home built CMS
WordPress does handle server side validation for you, and so does a theme or plugin bought from a reliable vendor. That’s the best part.
Relying on client side validation (jQuery) is useless. It’s like leaving the key in the lock.
Nishant Agrawal
I am also not trying to undermine SEO as a profession.
I have already, sort of, started something of my own. I have done some consulting work in the past, but I don’t do it anymore. And I am not a freelancer looking to start a boutique IT company. I am more of a product-guy. I am not planning to move out of India anytime soon. Great companies can be built out of India too 🙂
Darshan Bhambiru
Nailing it down now!!!
Alok Kejriwal a non techie into technology from Socks to Mobile games is the Only Example I can find Quoting for this reason on THIS Forum 🙂
Product or Service – The Debate continues.
Almost ALL TOP IT Companies from OUT of India Have More than 75% (conservative figure) of their TECH staff on the Top Posts from India or Indian Origin so to say.
Also, they have now found it easier to Setup shop In India to do the same work when done outside it, so even if the Company is not Indian by default, the Work done is coming from them Majority times, so you need to remove the Bias now, I guess!!
Good Luck!!
Nishant Agrawal
Also, they have now found it easier to Setup shop In India to do the same work when done outside it, so even if the Company is not Indian by default, the Work done is coming from them Majority times, so you need to remove the Bias now, I guess!!
If Indian engineers were paid half as much as their Western counterparts, the Indian IT industry would fall apart.
This is why Indians dominate services, but not products.
Aparna
great post!! 😀 Thanks for taking time to put it down.
Aman Jha
Hi Nishant,
I regret this being a public forum, I can’t manifest my true feelings for you after reading this. The post could hv been great, had you ended it at point 2.
Now lets discuss point 3 & 4.
First of all, after reading the whole post, the smile I had on my face upto point 2 faded away. You sound like Bill Gates, only difference Bill Gates is very much humble.
What do you mean by point 3. Someone who is non-tech, using a technology to facilitate his business should first become a IT company, code and design the technology himself and then go for his core business. If everyone start following this rule, there will be only IT companies with no clients and you would be writing another post regarding, IT companies should hire each other. And if he can’t learn coding and still want to be in tech biz, so your suggestion to him is ‘you probably should have stuck with your job.’ Great, I hope everyone gets a mentor like you.
And yes, IT companies don’t understand the architecture of your project, your requirements… I wonder why these IT companies exist, only for looting bhola bhala entrepreneur! But then you learnt coding for your project, I appreciate it, but what was the end result, you never launched it.
Point 4. You are talking like those people who blame whole community for terrorism not the terrorist. If one of the freelancers or an IT company is incompetent, it doesn’t mean whole community is. For most of you ‘Stay Away’ points, Darshan has answered appropriately. One last thing, I’d like you to check out the percentage of Indian employees working at top position in Silicon Valley. Many of them return to India and launch their own venture in India. So do you mean, if someone working in AT&T Lab for years and return to India and start a company, even his company is ruled out according to your logic. Check out Mr. Hemant Nerurkar from http://www.mindcraft.in, I can give names of such 20-30 people. You just can’t insult the ability and achievements of Indian IT and non-tech Entrepreneurs. I hope if you are not Bill Gates, at least someone close to his level :p
Nishant Agrawal
Did you even read what I wrote?
And from where the heck did Bill Gates come in? Can’t you think of anyone other name? Your remind me of my 12-year-old self, who, somehow, was able to bring in Bill Gates in every conversation related to computers.
Aman Jha
I’d hv used Vinod Dham’s name then I thought you are too influential personality to be compared with small time IT guy like Vinod Dham so I named Bill Gates!
Nishant Agrawal
When you can’t come up with a logical, data-backed argument, attack the author, eh?
I am not completely sure what pissed you off so much, but I am guessing it’s because your work is related to something I criticised in point #3
Alok Rodinhood Kejriwal
BOSS, I’m GONNA TAKE CLASSES from you when you join later this month.
How about conducting this as sessions for therodinhoods.wpengine.com?!
Nishant Agrawal
Thanks for the flattering words 🙂
Will surely think about the session
Amar Saurabh
Hi Nishant,
Thanks for being pathetic ! (pun intended)
What you said, is like saying, since you are a muslim, you ought to be a terrorist.
I don’t think, you even deserve a discussion with me or anyone else in this community. People are simply wasting their time in trying to put some senses into your article.
Tanmoy Das
Great post Nishant !
I completely agree with you on the “do it yourself ” part. I have seen most of the CEO’s & Project Managers of this so called Web Development companies don’t know a damn thing about coding .They just agree with anything that the client wants just for getting that project without even knowing what the damn thing client wants & when they fail to deliver they start making up all sort of lame excuses to hide their incompetence.