Secure the environment

It amazes me that still in 2011, the standard way web designers upload code to a server is FTP ("File transfer protocol"), a protocol that is completely insecure, easy to snoop, slow, hard to use, and often problematic through firewalls. There are many better ways.

If your web site designer connects via FTP to your web server over a public wifi network (and how many designers do you know make a coffee shop their second home?) they're potentially revealing the password to your server to everybody else in that coffee shop! With your password, it's trivial to upload malicious code to your site to intercept your customer's credit card numbers, passwords, or whatever the attacker chooses to exploit. Or vandalize your web site, change text, embed viruses and spyware, do things that could lose you business. This has happened to sites as big as the Miami Dolphins NFL team, and huge numbers of smaller sites.

We don't even install FTP on our servers. You can't log into our servers with a password, either -- you need to have a special encryption key on your computer that is allowed to make a connection. That means even if you get my password, you still can't log onto our production servers.

That's just one way we keep our environment more secure than a typical web host. We're constantly keeping up with how attackers break into sites, what tools they use to find vulnerable sites (which are surprisingly easy to use) and how we can stay ahead of the attacks. Sooner or later, though, everybody online gets tested, and even the best laid defenses get breached. Read on for what's next.