1. Ask yourself, “Do we really need that data?”
When planning the features in your web application, think carefully about whether the data that you’re planning to collect is really necessary – especially if it’s sensitive. Sure, it’s nice to be able to send friendly, personalized emails to your customers – but will your database be more secure if you instead opt not to collect their name? Do you absolutely need their “friends list” when you connect your app to allow sign-in via Facebook? Think about what data you really will use, and collect only as much as you need. If you have to collect a great deal of personal data, be prepared to tell your customers about your security practices. They are voluntarily making their personal data vulnerable; reassure them that you are respecting that vulnerability.
2. Ask yourself, “Do we really need to save that data?”
If you must collect personal data, do you absolutely need to keep it? What data can be collected on a per-session basis and destroyed at the end of the session? What data can be captured in a more general form to make the individuals supplying it harder for hackers to identify (e.g. city and state data vs. street address)? Make sure that you are storing as little information as possible in the most secure ways.
3. Hire a development firm with solid security credentials
When selecting your web development firm, ask them about the standards they typically employ when securing a web site. They should be able to reference their preferred network / hardware-based security methods, software-based security practices, and the methods they use to encourage secure behavior on the part of the users.
4. Use a development environment that supports good security practices
Let’s face it: In today’s world, you have to work fast order to succeed – and it’s easy for speed to come at the expense of security. This is particularly true if your web development framework makes security cumbersome and slow. Choose a modern platform that includes security-related features out of the box. For example, Laravel 5 is a popular MVC framework for PHP that includes built-in security features out of the box, like the ability to prevent SQL injections and cross-site request forgeries – two common forms of attack.
5. Choose a web hosting service with good security practices
A secure web host is key. For example, what you do not want is a web host that sends your server’s login information to you via regular email, and requires you to upload files via unencrypted FTP! Your web development firm should be able to recommend a hosting company that provides the level of security you need. (Example: Amazon Web Services (AWS), a popular cloud host, has security features and tools that web developers can take advantage of when building web applications that store and manage sensitive data.)
6. Know the basics of databases and passwords
You should be hashing and salting authentication data. You should never store userid or password in a plain text form in your database. When your members create an account, do not send them a confirmation email that includes the password in plain text. For password resets, do not send plain text passwords to users. Block people after a certain number of unsuccessful login attempts. And something that’s often overlooked: Log and audit both successful and unsuccessful login attempts, to give you an early warning of attempted data breaches.
7. Build good security practices into your user interface
Ensure that your web application’s user-facing features are built with security from the ground up. For example, use standard password requirements. Validate email addresses upon account creation. Allow discrete control of which information is public and private, and set the default settings to maximize privacy. Where possible, allow your members to see the last signin date and device so they can tell when someone has accessed their account.
8. Invest in ongoing maintenance
Just like planes, trains and automobiles, web servers and applications need routine maintenance to operate smoothly and stay safe. Ask your web development company whether they have a qualified server administrator on board, and how they stay on top of security issues on an ongoing basis. Don’t shy away from hiring your web development company on retainer to update your servers’ operating systems and platforms with latest security patches: Web companies that provide ongoing maintenance contracts as a standard procedure are often proactive about addressing vulnerabilities.
9. Hire a white hat hacker
If you store sensitive data like social security numbers, credit cards, medical data or any information where a breach could cost your company big, ask someone to try and break it. A consulting agreement is a lot cheaper than making the evening news.