6

As a freelance developer, I sometimes have to access the administration panels of hosting providers of my customers. It is an astonishingly frightening experience. Below are some points I noticed when accessing recently a not-so-unpopular hosting provider based in UK which has the word "secure" mentioned in large on the home page:

  • The default administrative account is created with a terrible password: five lowercase and digits only characters, no uppercase, no symbols.

  • The password is displayed in several locations in the administration panel, which is a good sign that it's saved in plain text in the database.

  • This administrative account is used to access everything: FTP, MySQL and the administration panel itself (including personal information, invoices, etc.).

  • It is impossible to create additional accounts, which forces the customer to give the same administrative password to any freelancers who work on the project (giving them unlimited access to everything).

  • The MySQL database can be accessed from anywhere, not just locally. This behavior cannot be changed.

  • There is no audit.

  • Nothing helps or invites the customer to do regular backups.

  • The hosting uses PHP 5.2.4, a version released on August 30th, 2007 and cannot be upgraded to a more recent version. For those who are unfamiliar with PHP, the language has frequent updates due to lots of security issues discovered regularly, and running a website in 2012 even with the version released in 2011 is a very bad idea.

My experience with other well-known hosting companies in UK, USA and France is similar. Some are slightly better, security-wise, but too many are doing everything they can to enforce worst practices. Then, they claim being secure and easy to use, which gives the feeling that the customer can rely on the hosting provider for everything related to security.

What should be the professional response from a developer to the customer regarding such hosting companies?

As a developer who have a duty to inform the less technologically knowledgeable customers about the risks they encounter, what should I do?

  • Saying shortly that the hosting provider sucks because it's not secure is not a solution: if the hosting provider is not unpopular, the customer will trust the large hosting company, rather than some freelance developer.

  • Explaining in details every aspect of security and risk management wouldn't help neither, since it would be too long and boring for the customers to read. Spending hours reconfiguring stuff would be frightening for them too.

Arseni Mourzenko
  • 134,780
  • 31
  • 343
  • 513
  • 7
    Do you have an alternative for your customers? Just highlighting the risks without a viable alternative would be counter productive. – Oded Aug 18 '12 at 08:52
  • 1
    Many of the recent PHP security fixes solve problems that weren't there in 2007; one example is the hash-DoS attack fix that introduced an even more severe vulnerability. PHP 5.2 isn't so much of a risk if all security patches have been applied; the advantage is that it's 'proven technology', whereas PHP 5.4 contains quite a few new features that haven't seen that much real-world exposure yet. – tdammers Aug 18 '12 at 12:16

3 Answers3

7

If your customer is a business person, he/she is likely not understand what do you mean by most of the above. In a discussion about security with one customer, I received the question "and why would they go after my business anyway, I am no bank?".

I would suggest that you:

  1. Make a list of threats (like the ones you mentioned above) and what effect could each have on your customer's business.

  2. Make the alternative suggestion clear. Show cost comparison and other migration costs you see. Make simple final recommendation in plain English.

  3. Deliver this advice as an official report to your customer and get the customer to acknowledge the advice.

If they don't listen, well, its their choice, you'd have done your part.

yannis
  • 39,547
  • 40
  • 183
  • 216
NoChance
  • 12,412
  • 1
  • 22
  • 39
  • 3
    Good stuff. One thing I'd recommend is not to discuss *threats* (which is kind of computer security jargon) but instead *risk* and *exposure*. For example, how much money would they lose if a hacker erased the database? Or, would they be legally liable if customer confidential information were leaked? These kinds of issues should *really* get their attention. – Stuart Marks Aug 18 '12 at 16:43
  • @StuartMarks, +1, excellent point, thanks for bringing it up – NoChance Aug 19 '12 at 03:10
5

I'd prefer contacting the service provider first, just in case some of the issues are easily solvable from their side. Their response could range from "no to everything" to "yes to everything, without additional charge", but it will probably be somewhere in the middle ("we can fix this and that, but we'll have to charge you a small fee").

If their response is unsatisfactory, you've at least shown initiative to solve the problem(s) before complaining to your customer. Explaining to the customer that there are multiple issues with the service is good, showing them that the service provider is unwitting, unable or simply not interested in doing their part to fix those issues is better.

yannis
  • 39,547
  • 40
  • 183
  • 216
2

I think you're answering your own question, sort of... You need to explain to the customer just what is wrong with the current provider, pretty much exactly like you explain in your question. If you also could give examples of better hosting providers, preferably ones that are not much more expensive there may even be a chance they will listen.

In the end it all comes down to the customer actually seeing that moving to another provider has benefits for them. Security alone may be difficult to use as an argument unless breaches will cause direct loss in revenue or cause extra expenses due to lawsuits or loss of business.

harald
  • 1,953
  • 13
  • 16