Safety is and remains a sensitive and abstract subject. You have to make efforts and investments that do not make a direct, positive contribution to the appearance or functionality of the application or website.
You have to make efforts and investments that do not make a direct, positive contribution to the appearance or functionality of the application or website.
Naturally, it is the correct choice to provide sufficient attention/budget for this and to have a digital partner who has sufficient knowledge and experience for this.
Every company wants good protection of its data and always tries to prevent hacking or downtime of its website or application. Suffering damage to your company image or leaking personal data (or other sensitive information) always has a much greater impact than expected in reality.
Is a Web Application Firewall (WAF) used?
Does your proposed solution include using Cloudflare or a similar solution against Distributed Denial-of-Service (DDoS) attacks? And Fail2Ban implementation against hacking attempts?
Do you plan to maintain a static version of the application with the possibility of DNS geo routing?
What tools do you plan to use when it comes to login pages? For example, Virtual Private Network (VPN), IP restriction, Multi-Factor Authentication (MFA)?
With our experienced Sevendays team, we take our responsibility for safety more than seriously.
We use a globally used framework, which is a collection of standardized and commonly used functions and libraries that serve as building blocks for developing web applications. It gives us as developers a structured environment in which we can write, test, debug, manage and maintain web applications.
This framework provides this security by default:
SQL access via secure ORM, no 'RAW' SQL in code
Protection for Mass assignment
Secrets and sessions are encrypted with a unique application key
Authentication is managed by the framework
Robust front/backend validation tools
Cross-Site Request Forgery (CSRF) protection
Sensitive configuration data is managed outside the application codebase/VCS
Cloudflare protection is always possible, but out-of-the-box we have already integrated the following WAF functionality into our PHP framework:
Prevent Cross-Site Scripting (XSS) Attacks
SQL injection prevention
Remote file inclusion (RFI) protection
Preventing Local File Inclusion (LFI) Attacks
Protection against User-Agent based attacks
IP whitelisting: only allows specific IP addresses
We log failed logins and block the IP address after a number of attempts
We block repeated attacks
We send a notification when an attack is detected
You only want to allow access to the application to those who really have permission and you want to “obligate” your users to do this in the most secure way possible.
This can be done, for example, with:
Two-Factor Authentication (2FA) for backend access: using a 'Time-based One-time Password'. (TOTP), e.g. Google Authenticator
IP whitelisting for access to the management area
A denial-of-service attack (DDoS attack) can best be compared to a motorway during the morning rush hour. Too much traffic is sent to your website or application for it all to pass smoothly. The road silts up and traffic slows down and even comes to a standstill.
Result, your website or application goes offline.
To resist such a DDOS attack you need a very broad path. That is why our hosting provider's network has a capacity of 100 gigabit/s. Compare it to a highway that suddenly has 100 lanes instead of 3.
Bring on those hackers.
If you want to protect your management environment as much as possible and do not want to expose it to the dangers of the internet, then a statically generated website is also an option (this scenario is less useful for a dynamic web application).
Benefits of a statically generated website include:
A static website does not need server-side logic
You have a secure, offline management environment that cannot be hacked
A static website can use geolocation routing on different zones of an Amazon or Azure environment
On top of everything provided by the framework used, the extra WAF protection, correct authentication for login and superior hosting provider security, we as Sevendays team add the following:
We conduct internal audits and follow a security checklist before live deployment of an application
We respect the best practices of the framework used
We handle sensitive information with care in accordance with your company policy
We perform security patches and updates regularly with due diligence
If, despite all the measures, things still go wrong, we still have a “Disaster recovery plan”
The source code of the application is managed in a version control system from which we can make a new deployment on other, uninfected hosting infrastructure with minimal effort
Data is managed in 2 locations: in a database and in files
A database backup is made at fixed intervals and the files (images, documents, ...) are stored separately on Amazon S3 storage with redundancy
You can recover old data at any time
