Hello everybody!,
Missed this topic completely, thanks to Nadim for bringing up this topic.
> It may be due to the lack of information about web practices.
> Could you please introduce yourself and share some information about the
> web practices followed by the company you work for?
First of all , I think very few of the web-developers in the Mauritian
market today know about security issues. The main problem here is
awareness. In my university classes I probably had modules related to
security but nothing too specific that deals with web development. The only
way I know about some security issues is either when i stumble upon them on
/r/web_design, or when somebody that i follow online talks about it(e.g
Ish's Blog).
When I say security issues, i mean the things that pertain to web
development. I don't really care when Logan announces an exploit of xyz
router, because of the obvious scope of my job.
To come back to the awareness issues, we have people learning web
development in institutions in Mauritius and security is a very small part
of the courses, sometimes its not even present. I have friends at the Open
University of Mauritius currently learning HTML, and they are taught to
code with <table>, so I don't imagine these lectures will keep up with
security issues.
Another thing when you work for a company is that, you do only the things
that were mentioned in the contract. At a previous company that I worked,
clients here tend to remove things from the 'website package' to reduce the
cost. The manager agrees so that he can land the contract, and there's no
mention of security. As the developer i will not implement things that were
not in the contract.
As for freelancers, who are often paid poorly, or who are just starting
out, some don't know about security issues. Other won't check back on the
site after two years, because they are simply not paid to do so.
Most Web Developers in Mauritius(who are self taught) begun by being all of
the following :
- designer,
- backend-guy,
- ui/ux-guy,
- javascript-ninja,
- seo/marketing-guru
Then they tend to specialize in *one or two* of those. But very few started
out by giving security-aspects equal attention. I did not. So when i need
an expert advice, I call Nirvan.
Best practices:
- Check rwx permissions.
- Keep CMS's updated.
- Use strong passwords.
- Use efficient code(so that you don't DOS yourself, been there :P )
- Keep up with the latest news.
- Have a backup plan to restore a website if need be.
- Never stop learning
- Have a contact channel so that people can report bugs.
I work as Front-end Developer/Mobile App Developer/Research & Development
guy at Prodigious Mauritius, at Ebene. I deal mainly with custom-made
sites, and html5 mobile applications.
Thanks and Regards,
*RAMGOLAM Sandeep*
*Front-end Developer - Designer - Web Enthusiast - Gamer**Website :*
barfii.net <
http://www.barfii.net>
On 16 April 2015 at 15:46, Mohammad Nadim <nadim.attari_at_gmail.com> wrote:
>
> ---------- Forwarded message ----------
> From: Mohammad Nadim <nadim.attari_at_gmail.com>
> Date: 16 February 2015 at 01:14
> Subject: Re: Web practices
> To: S Moonesamy <sm+mu_at_elandsys.com>
> Cc: "Mauritius.Internet.Users-ML" <
> mauritius-internet-users_at_lists.elandnews.com>
>
>
> Hello SM,
>
>
> On 31 January 2015 at 02:27, S Moonesamy <sm+mu_at_elandsys.com> wrote:
>
>> Hi Nadim,
>>
>> The screenshot at http://www.elandsys.com/~sm/calaw-mu-compromised.png
>> was taken in July 2014. The web site has been compromised once again.
>> There are other web sites in Mauritius which have encountered similar
>> problems. It may be due to the lack of information about web practices.
>>
>> Could you please introduce yourself and share some information about the
>> web practices followed by the company you work for?
>>
>> Thanks,
>> S. Moonesamy
>>
>
>
>
> Sorry for this late reply.
>
> We are seeing many local websites being compromised mainly because the
> off-the-shelf CMS (Joomla, Drupal, Wordpress, etc) that were used are not
> patched when patches are provided following report of a security
> hole. Moreover inexperienced web-masters tend to install plugins without
> being aware whether they are vulnerable or not.
>
> Web agencies or freelances are not to be blamed entirely. Well we have
> amateurs providing services for as low at Rs 6K - surely they do not
> provide a professional service. On the other hand, clients do not want to
> pay for good service provided by competent web agencies / freelancers. When
> they are reluctant to pay for a normal service, how do you expect them to
> pay for a maintenance contract ? Hence, in the absence of a maintenance
> contract, patches are not applied, resulting in the clients' websites being
> compromised.
>
> Developers should secure a maintenance contract from their clients and
> monitor the websites they have developed, and apply patches when released.
>
> If web-agencies / developers do not want to monitor the websites they
> have developed (or find it time consuming, or maybe don't find it
> profitable - they cannot afford additional resources: man power, etc), then
> they should not use off-the-shelf CMS. They should develop an in-house CMS
> / framework-mashup and use it in their projects. Since their codes are not
> publicly available, there is less chance of hackers finding vulnerabilities
> in the applications (v/s publicly available codes).
>
> Not releasing an in-house CMS / framework-mashup does not make the codes
> secure and hacker-proof. When developing something like that, it is best to
> follow the guidelines provided by Open Web Application Security Project
> (OWASP).
>
> There are other security aspects, namely the server - a SysAdmin / DevOP
> can shed some light on this.
>
> Best regards,
>
> Nadim Attari
>
> P.S.: I'm a front-end & back-end web developer working at Parixis Ltd
> (DevisProx.com / AssurProx.com ...) in Grand Bay. We develop mainly in
> PHP and we do a lot of HTML, CSS, and JS also.
>
>
>
>
>
>
>
Received on Thu Apr 16 2015 - 12:27:11 PST
