Well our new company requires a suitable website, but is it not contradictory to an Information Security company to go with a WordPress site?
Well yes, no and maybe.
The developer inside all of us wants to create something so secure it is an examplar show our clients that we know our stuff. It would take 3 months to write and 1 month to penetration test and require active TechOps and DevOps to keep it up to date to deal with emerging threats.
The AppSec consultant may suggest WordPress, but wants to ensure whatever is chosen that a Secure Software Development Lifecycle (SDLC) is followed. Bespoke components will be created to still demonstrate the foundations of security, being delivered in a secure and sustainable manner.
The InfoSec consultant agrees with the AppSec consultant. Security best practice recommends the adoption of known secure products and understanding the vulnerabilities in the solutions that you depend on.
We calculated our Risk Appetite before making the design decisions that effected our online presence. A suitable host was chosen and in selecting WordPress we created a new patching policy to reflect the frequency of vulnerabilities being exposed. To further reduce the risk, we restrict the use of Wordpress plugins to those we can trust and understand what impact they could have on our organisation.
We do have a higher appetite than those who wish to solely trade online, as we don’t hold any commercial, personal or sensitive information within our site.
We also like to practice what we preach. We like to show that it is possible to identify the risks and implement mitigating actions on vulnerable products. By using proper 2 factor authentication (2FA) with Yubikey into WordPress and proper account suspension processes we can prevent brute force entries.
So why WordPress?
Because it isn’t perfect, but it can be secured to a level that an organisation can accept. It’s low maintenance and the spare time we do get between clients can be spent on providing content rather than writing code to keep it online.
Additionally it also works as a very nice honeypot. We can experience first hand and capture attacks to analyse, sanitise and replay during our penetration tests.
A sprinkle of salt
Well our new company requires a suitable website, but is it not contradictory to an...