Website and Software Developers are constantly working on deadlines to meet launch dates and events. However, they are highly prone to making silly mistakes which can be quite costly. Being negligent is only one part of the security issue, but being negligent and not knowing it or not taking corrective steps later can also be quite damaging to the reputation and business of a website. This article deals with 6 careless mistakes which you should ensure that your web developers does not make.
This is one of the most ridiculous ways to get hacked. Developers use simple generic passwords for multiple websites and even have the same password for different functions of the website. This means that someone attempting to brute-force or guess your passwords is surely going to be lucky. Passwords like john123 or adminpassword or password are so cliche, that these are the first ones to be tried by an attacker. A client we knew, complained to us that their file management software was being compromised every single day and malicious files being uploaded. We realized that their developer was resetting their password to the same old one “johndoe123” which was being displayed on various hacker forums, by some script kiddie who had got through to their backend. As more people were trying out the same password, the account kept getting compromised.
Today there is so much pressure on developers to deliver elaborate and lavish projects, that they compromise on an important aspect of programming i.e. testing. Without testing, websites are made live and then patched on the go, when the flaws are discovered. This can be quite devastating and infact can increase programming costs if any damage is done by the attackers. It would be unethical and maybe even negligent of the developers to make a website live without testing it for security and stability. Often hundreds of bugs and vulnerabilities are discovered when a website or software is put through testing and fault finding systems.
Copy-Pasting scripts like menu’s, slideshow carousels, social media sharing tools and even video sharing, is a common cause for websites falling prey to attacks. When a flaw is discovered in any of these scripts, the news spreads like wild fire in the hacker community and all the inquisitive ones will try and put their knowledge to the test. By simply doing a Google search for the script name, comments or even author details, they can quickly locate which websites have that script. If developers do use copied scripts and templates for code, they must do their independent testing to ensure that there is no vulnerability which can be exploited.
Another careless thing that a developer can do is to provide weak or no validation on their forms. Before a form is submitted, some preliminary checks need to be done before the data of the form is sent to a program or database or to email. Checks need to be done to ensure that the form is not being used to retrieve data rather than send data to the database. It must also be ensured that the form is not posting malicious information to corrupt or damage the database. All of us may have come across simple form validation, which includes verifying whether an email address is in the proper format or a phone number field contains only numbers.
Focusing on functionality is one thing, but what about search-engine friendly coding? Most developers today ignore SEO friendly coding and just go ahead and do whatever is easiest to complete their project. While this can be helpful in the short term, by getting the website up and running, this should not be the way coders go about doing their work. Leaving optimization for search for the end, will ensure that it never gets done.