We now have a third party that does do unannounced security audits for the hospital as a whole. That opens up a lot of new issues as well though (they are testing out production systems which can cause issues when they find holes).

For remote hosts though, I highly recommend getting 3rd party verification of what they claim. After all, they are marketing their services as well, and the truth of those claims can’t be verified easily. But we shouldn’t have to settle for a buyer-beware mentality.

In our process of selecting a vendor we brought in a representative from IS who posed many questions that I didn’t have a clue what they were about. Certifications, tests, redundancy, etc.; all I care about is if the Web site is up and if I can add a streaming video to the front page.

Might be a good idea for the future to have someone such as yourself recommend a checklist of questions and adequate/satisfactory answers (that’s incredibly difficult, I know).

Also: Regular Expressions rule!

Form validation, etc are all good things to look at (especially anything involving post calls). Hiring developers that have an understanding about things like form validation is helpful and have at least a familiarity of what constitutes the majority of issues (you summed it up nicely Cap’n) is also really good to have. Getting web security bumped high enough on security agendas so that backend processes are looked at it as well is really key. To be fair, we have had a changing of the guard here over the past year, and the new guard are much more demanding, which is great. Not just for me and my team of course but for our site’s users who correctly expect our websites to be up and running 24/7.

The most common thing I run into here are script-kiddies trying to take advantage of any form they can find. Usually it’s just a spambot trying to push levitra/cialis/viagra (or some mis-spelling thereof), but some of those are looking to exploit the mailserver as a relayer too. They’re just ankle-biters though; the worrisome bunch are the ones trying to DoS and injection attacks on the databases. I built some common functions through which every form must get validated, which look for all the usual stuff (yay, regular expressions) – any form submission that fails skips right past the “real” processing. I want to expand upon this to record all the details of the offenders – IP addy, what they attempted and how – etc. It just helps me build my library of what to keep an eye out for. And that’s only part of the front end …

Great post that hasn’t been brought up before!

I think regardless of where your site is hosted, or what your position is asking the question of “What would we do if…” is really necessary. Not just if it’s hacked, but also the disaster recovery plan? Do we have one? If not, what can we do to change that?

Great post Stephen, I’m glad that your site wasn’t too badly affected – looks like you got off with the right amount of a wake up call.

I know what I’m going to be doing today…