Software Standards and Vulnerabilities
For many years there was a certain uneasy understanding between the hacker community and many adult content providers. Our worst concern generally was a user posting his log-on credentials and having a flood of nonpaying users spider our sites and vacuum up megabytes of our content. To prove the point of this strange alliance I offer the following example.
I was recently at a conference where I met the owner of a credit card payment program. He bragged to me how they challenged the hacking community to find the weaknesses in their software, which some hackers promptly did. The hackers infiltrated into the very heart of this payment system and left their "calling card." The business owner then offered to pay them to tighten the security of his software.
Am I the only one who sees a problem with this? Do you REALLY want to give unnamed hackers from unknown foreign countries with questionable motives the keys to your kingdom?
The final irony is that I was a PCI auditor at the time and this business owner lectured me on what his rights were and which regulations he had to follow. I wonder if he has a better awareness now of what data breaches are and whether or not he is still in business.
The moral of this story is that we must all be extremely careful about what software we use on our websites. The sites are our livelihood and protecting them should be something that we give more than just passing thought to.
Fortunately the online industry has matured to the point where there are many different choices for payment processing and the PCI DSS folks have provided a link for users to check to see if their PCI software is compliant.
But payment processing is only one of many pieces of software that run on web servers. A typical server will have a database (housing pictures, videos and audio), another database with current users and their passwords (and perhaps even more information about them), a streaming video server (or service) and web traffic analytical software, to mention only a few.
I suggest that everyone running a website take a moment to check their software and see if it shows up on watch lists of products with problems. You can do this online by typing in the name of the software you are investigating. This site will give you a list of vulnerabilities that exist (if any) and how dangerous they are.
If your software yields results that you don't understand or if the software has vulnerabilities that make you uncomfortable, call you computer security expert.