This month, reading my usual tech news and newspapers, I realized that there were a lot of attacks and security issues to different companies, some of them very important. So, let’s talk about security!

Let see some examples

• Sony: The group whom did the attack said (and confirmed by Sony):
  “We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”
• Gmail: “…Google has announced that Chinese hackers are at it again — this time, targeting Gmail account holders…”
• WordPress Repositories: “Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.”
• Citibank: “While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry’s data security measures.”

How is it possible that these really huge companies, have these kinds of serious problems? The answer is really pretty simple: the software and applications run by these companies are made by, well – people like you and me! No matter what the name of the company, or how big is it or anything… there is always a programmer.

So, what do I mean by this? Well, it means that as humans we can make mistakes – we can have a bad night and start coding while a bit sleepy, or rush to meet a deadline.   All the while, thinking/hoping: “It will never happen to me!”.  Or, as is often the case, the security layer is something that programmers and software developers leave until the end, because you have to run with the project timeline, and your boss is getting crazy, so what do we avoid to achieve the goals? Yes, don’t worry about all that ‘security’ stuff!

“Note a curious trait of human behavior  (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.”

Interesting right?

Let’s try to explain a few things about security and how can we make our sites more secure. But keep in mind one important point: it doesn’t mean that your site, coded with security in mind, will be impossible to break in to.  You should always be suspicious when someone tells you “I can make your site 100% secure”.  Instead, it means your site will be protected against many common attacks (there are hundreds, and new kinds of attacks are developed every day), and it will give you some “best practices” for coding.

I like to think that website security is a day by day process, more of a vigilant routine and a way of interacting with a fast-evolving internet than a one-time effort.  Just because a site was humming along quietly a month ago with no security issues doesn’t mean it is still secure today.

First of all, what is Security?

Wikipedia said:
“Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition…”

And what about Information Security ?

“Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction…”

So, what can we do from our desks to make our code more secure, to protect our information from unauthorized access, to not loss information, and so on?  Be aware! That’s the key!  You need to think that every input can be a potential attack.

We will talk about tow of the most commons attack and how can we prevent attacks.

• Sql Injection
• Cross Site Scripting (XSS)

Sql Injection

This is one of the ways Sony was hacked. This is a very common security issue, and very easy to let an attacker control everything in your site.
Basically a Sql Injection is the ability to make your application runs SQL code that wasn’t intented to run.
It means that an attacker would be able to run things like “delete * from users”, or “select * from users”, over your user table. Or get any other information in your database, like credit card accounts, passwords, address,  grant administrative privileges without supplying a valid user name and password, compromised data integrity, remote command execution, etc.

Cross Site Scripting (XSS)

This kind of attack, has almost the same principle than Sql Injection. Basically it tries to inject Script Code into trusted web sites. Doing this, an attacker can (and more):

• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Denial of Service attacks

These are tow of the most important vulnerabilities, but quiet easy to avoid, don’t worry, you will get the rights tool in the next posts!

Keep reading!

Why Such a Large Reach?
This incredibly flexible and extendible application has been successful partly as a result of the equally impressive theme and plugin ecosystem that it has fostered.  Through a well-documented and very powerful API library, a clear development roadmap, as well as a commitment to an open GPL license structure, developers and designers alike are able to extend WordPress to suit their needs and the changing internet marketplace.

This really is unique.  If you look at other dominant ecosystems (Apple’s iPhone or Microsoft Windows, for example) there is plenty of evidence to show that more ‘developer friendly’ systems with open-source philosophies (e.g. Google’s Android or Linux) gain traction over time.  Now, I could devote an entire series of posts to comparing the virtues and strengths of these great products, but the point here is that WordPress has done something right in the last 5 years, and I think that is because of a pretty great combination that allows people like me (and thousands of others around the world) to build outstanding, highly functional, and secure websites that meet the needs of our ever-changing clients:

1. High quality, rigorous, and regular development of the WordPress core.  You guys rock.
2. A rich marketplace of free and professional themes and theme frameworks, running on free software that works (see above).
3. A powerful API which allows plugin developers to extend WordPress way beyond its stated functional walls.

Since the crew at Automattic is taking care of point #1, who is leading the charge when it comes to #2 and #3?  In short: some of the best and brightest minds on the web.  Here is my short list, highlighting what I think are some of the unique and defining aspects of each sector.  I will go into more detail about these WP leaders in upcoming posts.

Themes

• The hive approach:  themeforest.com is the clear leader here.
• The cowboys:  press75.com and elegantthemes.com
• The coders:  StudioPress and DIYThemes (Thesis)
• The business types: Woothemes

Plugins

• The narrow niche: gravityforms.com and shopplugin.net
• The free and fearless: yoast.com
• The ambitious: bravenewcode.com

So What is Our Niche?
I’m writing about plugins and themes because our team at Whiteboard Media is busy working on, well, plugins and themes.   The reasons are simple: we need them for our own projects, we like to do cool stuff, and we see opportunity in the marketplace.

Currently we just released a Member Management plugin called Maven Member, which is really like putting raw meat in a pool of sharks.  Our goal is to iterate and learn with the help of the WordPress community, and there is no better way to do that then in an area like member management: it’s hard to find a “one size fits all” and so the solution we’re coding really needs to perform at a high level.

In a few month we’ll be launching a new service, called SiteMavens, which will offer WordPress hosting along with a stable of professional themes and plugins that we think will make a positive contribution to the expanding needs of WordPress developers and customers.

Prior to her time at Whiteboard, Meg worked as an in-house designer and webmistress at a local non-profit, as a digital archivist in both corporate and university settings, and as a classical oboist.

When not online, Meg enjoys spending time with her husband and two young sons, running, knitting, and cooking local foods.

The Coalition is a citywide organization of social workers, nurses, physicians, administrators, hospitals, health services organizations, and clinics that serve the health needs of Camden, New Jersey residents.

Goals included creating a design that was not only clean and professional, but that reflected unique elements of the city of Camden. This was achieved through use of clean lines, stark contrasts, and strong imagery. Another goal was to develop a fast site that is easy to update, a custom map, a downloads area, and a contact form.

The site was developed into xhtml/css and then integrated with WordPress, and is hosted on our premium servers. The member area is controlled by a custom plugin, that will be released to the public in September 2011.

He has collaborated on a wide variety of projects with Whiteboard Media since 2007 and brings a high level of dedication and creativity to every assignment. With the addition of several new faces, Felix has also moved easily into a management role as we build our team.

The site services:

• Organizations posting staff openings
• Organizations recruiting board members and other volunteers
• Individuals looking to match their skills to a nonprofit

With a custom content management system built on CodeIgniter, the center is able to accept posts, allow for multi level listings, provide automatic email updates to subscribers when new jobs in their interest groups are posted, and accept advertising. The site is hosted on our premium CMS plan.

Previously an accountant, Kamal discovered web design and development back in 2002 and later completed his degree.

In his spare time, he enjoys soccer, travel, and relaxing.