Before we even start building a website, we start with a foundation of security; we treat our partners’ digital presence and data integrity the same way we treat our own.
The Lifeblue team follows a three-component strategy — prevent, monitor and respond — to keep client sites secure, said Lifeblue Vice President of Research & Development Derek Odell.
“The service mentality here is that we are a partner in the operation of their website — and as a partner, we want to build and maintain trust, so our clients are free to focus on their business and the people they serve,” Derek said. “So, for every project, we start there.”
+++
Prevent
Building a secure website starts by layering in industry-standard deterrents against malicious actors and making sure we understand software-specific needs.
1. Industry standards: From the outset, every Lifeblue project incorporates industry standards from The Open Web Application Security Project (OWASP), a nonprofit that’s “globally recognized by developers as the first step towards more secure coding.”
In addition to compiling a top 10 list of the most critical security risks to web applications, the organization shares additional recommendations for more rigorous safety measures.
“That includes recommendations to bolster password strength and enable two-factor authentication, as well as protect against advanced threats, like attacks that exploit form fields,” Derek said.
2. Customized preparation: To deliver the best solutions, we utilize an array of third-party services and software, like WordPress or Shopify. The products we use depend on each partner’s business needs, along with an array of other factors.
As an ongoing practice, our developers stay informed about how each of these vendors keep their code up to date, as well as where the vendor’s responsibility ends and ours begins.
Then, if there’s ever an issue, our team is at the ready — before even launching the site.
[Read: Clever Passwords Aren’t Enough: The Case for Two-Factor Authentication]
+++
Monitor
Ahead of launching a site, we also implement several tools that alert us 24/7 to suspicious activity, like a sudden spike in visitor traffic attempting to checkout.
While a rapid increase in purchase activity might be the desired result of a promotion, it could also be generated by a bot cycling through stolen credit card numbers
Once that alarm is triggered — no matter the time of day — a Lifeblue developer jumps in to diagnose the situation.
[Read: Is Your Company Taking Password Security Seriously Enough?]
+++
Respond
If a potential issue is detected, then our top priority is to respond using the following steps:
1. Understand the alarm: Our developers go into detective mode, investigating what could’ve set the alert off and any other compelling context that they can pass on to Lifeblue producers.
2. Identify its extent: As developers trace the situation back to its cause, they determine where it’s occurring and search for patterns.
3. Determine action plan and communicate with partners: As our developers build an action plan based on industry best practices, our producers share critical information with the impacted partner. We not only want to keep our partners apprised of the situation, but we want to make sure they understand how we’re handling it and identify any specific needs they may have.
4. Deploy immediate solution: We determine and implement the swiftest fix. “In most scenarios, there is something that will immediately stop the problem, but only temporarily, and then there’s usually a more permanent solution that’s going to take time to build,” Derek said. “There’s almost always two different versions of a solution that solve both of those needs.”
5. Implement long-term solution: With the initial remedy in place, our team can then build out a solution that will be a sustainable fix.
6. Closely monitor: Our team enhances monitoring to ensure that the solution continues to succeed.
Because we know that our work is at its best when it goes unnoticed — when the ease of use allows our partners to serve their customers seamlessly — we always aim to deliver thorough, fast and elegant solutions when trouble arises.
Our promise to our partners is that we will work to protect their business at all times, and in the digital space, that means staying prepared for third-party threats and acting swiftly to evolve our standards of security.
+++
