2016 – The more things change, the more they remain the same. Web security is and will continue to make the news in 2016 (and that is not a good thing). Yes, we will continue to see social engineering (never under-estimate the social engineering power of a clipboard; never forget some people will reveal their password for a pen). We will continue to see phishing (and other forms of malicious email). Malware will continue to be an issue (along with ransomware and other trends). All this has been news for the past decade. And it will not go away in 2016.
My intent is to focus on what is new, why this topic is vitally important to Web professionals, what you need to know to protect yourself and others including your clients and how our community could improve the future of Web security and the sustainability of our profession.
What’s new in Web security issues
- Wearable technology is another area which is growing (and which often relies on the same web technologies – HTML, CSS, JS). We should have security concerns about these devices as well. Specifically, they often touch other devices (such as our smartphones with a wealth of data). Security breaches can go well beyond a watch or fitness device.
What does this mean for the Web professional?
We tend to rely more and more on the cloud for all sorts of activities. Personally, I have spent a fair amount of time investigating technologies like Docker Containers. What I struggle with is how secure many of these repositories are (we have to depend on others as we do not see the underlying infrastructure). We also have to make the assumption that the items we use from repositories are free of malware.
What you need to know:
- As web professionals, we need to remain vigilant and monitor our applications for breaches and any unusual events.
- We also need to stay on top of emerging technologies. When we work with vendors and implement solutions, we need to question how much attention has been given to security.
- We need to keep up to date on latest trends and always make our code as secure as possible. For example, I stress to my students they should always trust visitors to their websites, but never trust their input. We should already be in the habit of sanitizing any data provided by a web site visitor. Yes, we still read about SQL injection attacks and Cross Site Scripting. We have known how to defend against these sorts of attacks for many years. Yet, the attacks still happen.
- We need to audit our existing code to confirm that we do defend against these sorts of attack vectors.
- Always make an effort to confirm what you are installing is secure (and free of malicious code).
- New attack vectors emerge all the time. We need to understand these threats and the implications on our existing code.
- We need to be ready, remain vigilant, and keep up to date on emerging threats.
- When you install any new device, make certain you have an idea of how vulnerable it is to attack (and where the attacks are likely to come from).
- Continue to educate your clients on the dangers of these sorts of attacks.
We’re hopeful that you find our resources helpful. By aligning with a professional association we aim to support you in staying current with trends and to bring you the informational resources to succeed. As a professional organization, we also help educate. We can help you network with others. 2016 will be a combination of old attacks and new ones. We help each other through our network. Check out the other Web professional trends and if you’re not already a subscriber sign up. Future posts will include more on sustainability, what this means for the future of web professional, web-centric education and more in depth tutorials on web design, web development (including web security) and web business trends.
Mark DuBois, Community Evangelist and Director of Education