Being proactive is the best approach to cyber security. Making sure your site is developed securely is crucial. However, expecting business owners to be security experts is ludicrous. How should you know what makes a site secure? Well, you don’t have to. When you’re looking for a new developer (or you want to make sure your current developers know what they’re doing), you can ask them these basic security questions. I have tailored these questions myself so the person can answer while avoiding jargon.

 

Q: For this project, what do you think the proper balance between security and convenience is?

Context: Convenience and security are inversely proportional. When you increase security, you decrease convenience, it is the nature of security. A developer should understand this concept and give their opinion on how it applies to your site. For instance, having a user log into their account every time is more secure, but inconvenient. This may be a good idea for a bank, but maybe not a social media account. As the arrowhead of the operation, you should decide if you like their answers or not. The important thing here is that they are aware and thinking about the balance between the two.

 

Q: The biggest cause of vulnerabilities is from human error, making mistakes is natural, but what do you do to try to minimize this?

Context: Developers should be aware that the majority of vulnerabilities stem from human error. It is security 101. What they do to remedy this is what is important. Some good answers are, someone else reviewing their code, having a strong understanding of the frameworks and languages they work with or testing their code in a developer environment before putting it into production.

 

Q: What is the process after a vulnerability is reported? How quickly can you get a patch out when you find a vulnerability?

Context: This question can be answered in a variety of ways. Different projects will have a different development cycle. An acceptable time frame to patch a bug with one development cycle can be too slow for another. Here you’re going to have to trust your developers with what they tell you.
Let’s assume the developer has been informed about a vulnerability. They know that it is a problem, but they don’t yet know why it is occurring. The longest part of this process will be finding out why the bug is occurring. After this the patch should be relatively quick.

You want to have a streamlined process for getting patches out, make this clear to your dev team, and make sure to listen to what they say, they know the application better than anyone.