A fellow Rodinhooder had an unpleasant experience dealing with web security a few days back. The confusion surrounding the event prompted me to write this post.
Link to the original post: Click Here
1. Hacking is Not What It Sounds Like
No, hacking does not always mean a 20-year-old bespectacled geek entering your server through the back-door of your server on his matrix-like laptop screen. Hacking is not the same as exploiting vulnerabilities. Let me explain:
A prominent educational institute publishes its exam results online. To check your result you need to enter your roll number and press enter. A person was able to extract the results of all the people who appeared for the exam, and posted it in a spreadsheet online. Is this hacking? No. He simply wrote a small computer program that used permutation and combination to fill in all the possible roll numbers, and save the results. Writing such a program isn’t difficult.
He didn’t hack into the system. He simply exploited a lame-ass vulnerability left behind by the incompetent developers. Using a simple captcha (‘enter the letters you see in the image’, remember?) could have prevented this outcome.
So, what is my point? More often that not, hacking means exploiting a simple vulnerability left behind by your web developer.
2. Do Not Use Custom-built Solutions
Do you really think that your custom-built content management or e-commerce solution, made by an an Indian IT company whose website looks like it was made in 1995 in a Word Document, is better than than the likes of WordPress and Shopify?
WordPress and Shopify are made by some of the best tech companies in the world. They have engineering talent you can’t find in the best and biggest tech companies of India. Some of their engineers get paid more than the turnover of the IT company you hired. These companies have deep pockets, and are using their best talent to make a product, and polish, and refine it year after year. Can your 6-months-start-to-finish custom made solution outdo them?
You: But these solutions don’t provide the flexibility and options I need
Me: In 9 out of 10 cases, they do. Your IT-service provider won’t tell you that because he knows that he can extort a lot more money out of you by making a stupid solution from a scratch, than implementing WordPress (which, by the way, takes 10 minutes). If you have the right people around you, they will tell you so. WordPress is used by companies like The New York Times, CNN, Forbes, eBay, and TechCrunch. They’re bigger than you.
A popular solution will handle 99% of the security issues for you. Now if you keep your username as admin and password as password, you really can’t blame your solution for that. That’s your 1% to work out.
Some of the best standard solutions:
- ECommerce: Shopify, Magento and WooCommerce
- CMS: WordPress and Joomla
- Support: Zendesk
- Social Network: Ning
- Forum: phpBB and vBulletin
3. Do It Yourself
If your code is of secondary importance to your business (e-com, online forum), and you are a non-technical person, you can hire developers (and work closely with them) to take care of this, while you focus on the core competence and your area of expertise.
If the code / technology is of primary importance (booking sites, blogs, web portals, social networks, web apps, mobile apps) you should do it yourself, and then build a team as things grow. If you don’t know how to code, learn it. If you think you don’t have the time to learn, you probably should have stuck with your job.
Three years back, I wanted to make an income tax efiling portal. I was from commerce stream, and had absolutely no knowledge of coding. Fortunately, I was 17 and didn’t have any money, so I couldn’t hire anyone. I taught myself coding, and in the first 3 months, I made a MVP with my rudimentary knowledge. Disappointed, I tore it down, and re-built it from a scratch, taking another 9 months. As I learnt more about web development, I wanted to again build it from a scratch, using superior technology. Fortunately, I didn’t. I moved on to a different project.
I can say with certainty that had I hired someone else to build the portal for me, the end product wouldn’t have turned out half as good as the last iteration of the portal I had made with no prior knowledge of coding.
These IT companies don’t understand your vision, even if they do understand the architecture of your project (which I seriously doubt, though). You can pay them to build your project, but you can’t pay them to love it.
4. If You Are Building it From a Scratch, Hire the Right People
You can’t make your website hack-proof, or error-proof. What you can do is achieve a higher level of assurance by working with the right set of people, and writing reliable and scalable code.
For a non-technical person, it can be very difficult to find developers who understand development. Good developers cost a fortune. There are freelancers out there who will work their arse off for $5 an hour, and then there are developers who know their shit and will charge over $300 an hour.
You: So, how to find the right company to handle your project?
Me: I have a few pointers on who to stay away from:
- Stay away from cheap and desperate freelancers
- Stay away from boutique IT companies
- Stay away from companies who use words like outsourcing, SEO, temporary staffing
- Stay away from companies with an ugly website (now that would probably rule out all Indian companies)
You: but who do I hire?
Me: I don’t know, really.