Often, clients are not aware of some of the inherent security risks involved with managing a website. Dre will provide concepts that will empower website creators and agencies to manage client expectations and identify points during a project lifecycle where security principles and its importance can be introduced. He’ll also provide some actionable tips on how sustainment and security can be handled by you, the service provider as as part of the project and beyond with sustainment agreements.
4. HOUSEKEEPING ITEMS
• Q&A
• Place questions in Q&A box
• Ask Questions right away
• Use #AskSucuri on Twitter to engage
• Brief survey at the end of the
presentation
• Presentation of Webinar will come next
week
5. How to Account for Security
With Customer Projects
#AskSucuri
12. EXPECTATION MANAGEMENT
• What does success mean
to your client? How
about you?
• Communication
beginning to end means
success.
• Don’t Assume! Formalize
requirements and
approvals.
13. ESTABLISHING THE PROJECT LIFECYCLE
• Contact & qualification
• Estimate/Proposals
• Service agreement
• Discovery
• Project plan
• Design
• Development
• QA
• Deployment
14. OPPORTUNITY BEYOND THE PROJECT
• They came to you for a reason, right?
• Low overhead, long-term contracts.
• Establishing value is simple
• Expectations still apply
15. MAINTENANCE AND SUSTAINMENT
• Who can you support?
• What services can you offer?
• When do you introduce your service?
16.
17.
18.
19. LEARN YOUR AUDIENCE
• Who can you support?
• Existing clients
• Onboard new clients
• Partner with companies
20. PLAY TO YOUR STRENGTHES
• What services can you offer?
• SEO
• Education
• Software Updates
• Uptime Monitoring
• Security
21. EDUCATION AND AWARENESS
• When do you introduce your service?
• From the first engagement
• Evangelize the entire lifecycle
• Encourage M&S Demo’s
• Close prior to going into production
Things are great. Relationship is going well. We are rocking the project.
Creative services, agency projects, building an amazing website for a client is something I have always enjoyed. So much so that I have worked in and out of the agency space professionally for more than 10 years. It’s my equivalent to launching a rocket ship around the world!
There’s nothing worse than souring a relationship with a client due to something out of your control, but maybe perceived to be something that could have been avoided.
Years ago while working at an agency, we were super pumped that we had landed our first 100k website project. It was a commerce project. We were on point to architect the build from scratch, the company branding, design and develop the site on a fairly tight schedule due to some marketing efforts on a product release that were time sensitive. Pretty sure they had a huge industry conference they were trying to launch at.
The timeline had us phased to launch into production roughly 2 weeks before the event and we were on track.
In fact, we beat the deadline, nailed all of our requirements. The new branding efforts were to be integrated into print and even some of the product logo markings.
QA went well and we were ready. Final approvals came and we worked with the company's web team to get the site into production. I’m pretty sure at the time we weren’t using GIT or anything, probably some type of FTP to get the site up on their servers that were hosted outside of their network.
The launch went well and they ramped up marketing efforts prior to their event. Email and newsletter signups along with other campaigns. They were geared up to push out their new products.
We were stoked, and were marketing from our end. This new portfolio piece was gonna help us engage a whole new audience. We announced the work and socialized the site everywhere. The feedback was phenomenal!
All was well…..
Things go south fast and now they blame us. Sour apples.
Until. Until that 1am phone call a couple days later.
I answer the phone and on the other end was the director of marketing from this company. He was heated.
He was a bit aggressive to say the least. His voice was a bit on the high volume side. You could feel his enthusiasm.
Dre - You guys screwed something up. We need eyes on this ASAP! Our website is down and there is a weird page with techno music telling us that we’re stupid and that they OWN or website.
I asked him how long this had been going on and he said a few hours. That the web team had removed the files from the site and reinstalled everything, but a short while later, the site gets redirected to this crazy page.
It was a defacement and now it’s clear there was a backdoor allowing the site to get reinfected.
We put all hands on deck. Stepping up to the plate.
I got with the team and we worked with the company to figure out what was going on. Although I knew our code was solid, we did a review to make sure we weren’t introducing a vulnerability, which we weren’t.
The company’s hosting environment was out of our area of responsibility, and we didn’t have full context as to what was going on in that environment. We had turned over code, and although we had access to help get the site into production, we were limited to our interaction beyond testing the site once we migrated.
We got the issue resolved and look like superheros/rockstars/champs
What ended up being the issue was it was a shared box that had multiple websites and software on it. There happen to be an outdated CMS in another directory that was already infected. In fact, most every site on that server was infected.
We helped our client clean up the site and the issues on the server, because we felt it was the right thing to do. In the end however, the infection was not our responsibility, and we ate the cost of helping them remediate the problem.
You have to account for security
This happens all too often unfortunately.
Although this whole incident wasn’t really our fault, we learned from it. We learned that there are things that can be done to help avoid these issues. If we just would have had the discussion and learned more about what their environment looked like we could have helped them from being infected, and maybe even picked up a new sustainment contract.
You as the service provider have a responsibility to your clients. Accounting for security is part of that!
I would like to share some of my ideas with you.
I’m Dre Armeda, CISSP. Co-Founder of Sucuri.
Before Sucuri, I was CEO and Founder of a small WordPress agency, and most recently I served at CMO at WebDevStudios, an agency that created sustainable web applications and websites for companies like Microsoft, Discovery Channel, and Campbell’s Soup.
I want to talk to you about some of the things you can do to expand your opportunity to become a long term partner with your clients, and how you can help them become more secure while you expand some recurring revenue.
Expectation Management
What does success mean to you? What does it mean to your client?
Understanding and communicating these requirements or expectations from start to finish will help you actually reach it.
It’s OK to tell a client if something is not possible, or if something is out of scope.
Be Consistent. From the onset of the relationship be candid and upfront.
If it’s not included, be open up front that you will do what you can to preserve the integrity of the project.
Every action has a reaction and adding in features and nice-to-have’s during the project will affect timeline and budget.
Be comfortable with not allowing scope creep
Don’t assume, work off of documented and approved requirements
Just like your clients have expectations around what they get for what they pay, you should have and should be transparent with your expectations as well. Make it’s formalized.
Establishing a project lifecycle
We all have our magic approach to a project. This starts through the sales process, and bleeds into the various phases of the project build:
You make contact and learn. High level discovery
Estimate and proposals
Formalized Service Agreements
Project Plans
Formal Design and Development Discovery
Design
Development
QA
Deployment
For a successful project, All these phases that need to happen in some capacity. Every shop is different. Some use specific methodologies and so on. Lifecycles all vary but at a high level, you have all of these components, right?
But this is really just the beginning of your opportunity. Launching the site after successfully moving through each phase of the lifecycle is the act of birthing a site.
This is just the birth of a successful website for your client. Life has been given to the next amazing website on the web. What now?
Introducing services that can build a long term relationship with your client becomes a vehicle to successfully extend your offering and your revenue stream
Maintenance and Sustainment
You’ve killed it for your client and helped them launch a bitchin website
They came to you for a reason, right?
Experience building websites?
SME with XYZ platform
Your SEO game is on point?
You JavaScript all the things?
It’s an easy sell to ease the pain for your clients by you (the EXPERT) managing all these things for them long term
Your benefit as a provider is low overhead, long-term contracts. This is a strong potential revenue stream with minimal effort and extended opportunities. (If you’re sustaining, they may need more custom work. You’re already in the door)
Establishing the value of having a sustainment solution is simple:
It’s in the interest of your clients customers
Critical for SEO
Maintaining consistent corporate image
There are many areas that likely sit outside of your clients expertise depending on the size of their team and site like publishing and even performance monitoring. Having a partner to manage their sustainment centralizes all of these efforts
Risk management and consistent security monitoring and protection is essential to lowering the risk floor.
Remember setting expectations
What are the work hours for your team? Is that in case of ER as well?
What are the service level agreements?
Will there be reports or other communications to let them know what you’re doing on a daily, weekly, monthly basis?
Maintenance and Sustainment
Who can you support?
Existing clients
Onboard new clients
Partner with other companies to support their clients
3 areas to think about
there are a lot of tacos out there
I always like to sharing with my audience different statistics to help provide better context on why we should be having this conversation and how it applies to us all... … I do this because its important to understand the scale we’re working with and where we, and our web properties fit...
As of last week, we were right at about 1.1 Billion active websites
Of the 1.1 Billion, about 33% are powered by some form of CMS - open or closed.
Dividing that further, 73% of that 33% are powered by four platforms - Drupal, WordPress, Magento and Joomla! ALMOST 80% of all CMS’s are open source.
Maintenance and Sustainment
Who can you support?
Existing clients
Onboard new clients
Partner with other companies to support their clients
Maintenance and Sustainment
What things can they include in their projects / sustainment agreements?
SEO
Education
Software Updates
Uptime monitoring
SECURITY
Security monitoring
Protection with a WAF
Can lead to
SLA’s
Hourly retainer opportunities
You need to believe in it, or they won’t
It’s never too early to talk about security in the relationship
From initial engagement through hand off after build you have the chance to socialize security and how you can help sustain your client site
What I have found that works well is talking through the entire lifecycle beginning to end during the initial discussions with a potential client
For example, you have an initial discovery call to talk a high level about what they want. This is a great opportunity to introduce how you work from estimate to deployment, from QA to long term maintenance.
You’re setting expectations from the beginning and recommending the long term as responsible partners.
This gets your client thinking about all these moving parts and makes your job of adding maintenance/sustainment to the contract a bit easier to talk about.
WHY security?
Security to me has overlap of course with maintenance and sustainment. For obvious reasons
Like it’s typically included with maintenance and sustainment
Updates and performance, site availability for example can be included as part of security services.
I encourage agencies to make security a requirement and a security plan part of the project architecture.
During the build formalize your requirements and the client requirements
Educate on the importance of where the site is developed and where it will be in production.
What are the security controls in place to protect the entire stack?
Who has access to what and when during the project
Who is responsible for each area of security during and after the build
Make hosting recommendations
What are some of the things you should be considering?
BUT I also think it’s a very important stand alone thing that needs to be at every phase of a project, including M&S.
So when do you introduce the concept and how you can help your client manage their website security with them for the life of the site? From the very beginning!
Now that you’ve recommended from the jump, include language around security in your proposals.
I personally like adding a whole section talking about my recommendations beyond the build into my proposals and why it’s so important.
I also like noting that security is important not just during the build, but also something that’s part of a sustainment program.
In proposals I also include security solution pricing as a service for the site once it is launched. This can be it’s own line item, or line items.
This can be split into a few areas:
Security monitoring and alerting
Protective measures such as a WAF
Application tools like plugins
Remediation/Incident Response services
Vulnerability management through things like upgrades and updates are generally ineffective. But this frankly should not be news to most of us. Not because they don't work, but because they never get done.
So the question for me becomes why, why is this the case.. What are the challenges contributing to this challenge…
This led me to an interesting study by Northbridge in which they analyzed all of enterprise organizations and how they work with open-source technologies...
They noticed that approximately 33% of companies had no process identifying, tracking or remediating known vulnerabilities..
Of active website 47% of those same companies didn’t even know what open-source technologies they were responsible for tracking.
50% of the companies had no one responsible for the open-source vulnerabilities.
Think about that for a moment and try a line between that study and your own organizations. How many of you in this room, whether agency or consumer, really know or have a grasp on the technologies you’re deploying? How many of you have some that you can hold accountable for when it comes to security?
Perhaps the biggest reason I can find as to why these problems exist is because of a fundamental lack of understanding of security. In most security conversations we try to hone in on the "real" problem as if it's new, and constantly look for the "quick fix" to the problem.
There is this overemphasis on finding the latest tool to satisfy a check box, and less time trying to understand what the tool is meant to solve or more importantly how that aligns with your specific security objective (more on this later).
Security is much more than a tool or configuration. It’s a mindset. It’s a process.
Security is built on three core pillars - People Process Technology. Neither are meant to exist on their own, but they all work in unison. Deploying only the technology without have a process in place or the people to manage it is setting you up for failure.
Additionally, when we’re talking about attacks against websites a very high percentage are automated and what we would consider to be attacks of opportunity. Relatively speaking, while targeted attacks do exist, they are rare.
When it comes to today’s attacks, we’re predominantly dealing with attacks of opportunity in which attackers target low hanging fruit.. Scan all sites for Drupal 7 intsalls.. Once you find them, check if they’re exploitable via Drupalgeddon or some other known vulnerability…
When I look at the vectors an attacker might abuse, I divide them into three distinct groups:
External Attacks
Internal Attacks
Reflective Attacks
External attacks are those we’re probably most familiar with. An attacker exploits a vulnerability remotely, think a SQLi / RCE type vulnerability. While an internal attack might refer to the concept of cross-site contamination in which an attacker is able to move laterally within your environment. Reflective attacks is not exactly the most appropriate name, but is mean to describe attacks that are able to abuse your website resources without compromising it. Think malvertising or abusing a third party integration like JQuery.
Actions on objective refer to the things an attacker might want to do with your web property. The impacts of each will vary greatly on your organization and audience. The most common in people’s mind is the distribution of malware, using your website as a distribution mechanism. But attackers are smart and have found a number of uses for your websites, uses that are sometimes difficult to detect and many instances have greater impacts. They range from leveraging your infrastructure resources malicious to attack other properties (think DDoS) to using it in Spear Phishing campaigns against organizations around the world.
The thing with risk however is it can get out of control very fast. We have to be sure to:
Clearly defining scope
Recognize that risk will never be zero
and Understand that it is a continuous process
Understand that clearly identifying your risk tolerance will help you prioritize your security activities. You can’t do everything, and in many cases it’s unattainable and / or unsustainable.
If thinking that this doesn’t apply to you, or that you’re too small to think about this I’d highly encourage you to reconsider. Compromises happen to organizations of all sizes and the impacts are real. I categorize these into two distinct groups:
Business
Brand
Economic
Emotional
Liability
Technical
Blacklisting
SEO Impacts
Visitor Compromise
Network Tunneling
I would of course encourage everyone to start thinking beyond application level security controls and start spending some energy looking at cloud-based technologies to complement their security.
Recap with Action
Set expectations
Establish a project lifecycle
Think beyond the project
Build maintenance and sustainment into your lifecycle
Offer this as part of your long term solution to the client
Offer the assurance of monitoring and protection on their investment
Document what the offering is.
What services will you offer.
How will they be offered
How long will they be offered
What is the communication mechanism for your clients to request assistance
Are there service level agreements to consider?
Offering security is awesome
Defense in Depth
Plugins are fine, Cloud-Based technologies at the edge are better. A marriage of different security controls based on your architecture and usage is best
Monitoring
With that, I’ll open it up for questions from the audience if there are any.