BlueModus Adopts "Secure First" Web Development Approach

Posted by BlueModus News on May 11, 2015

Secure FirstAs web sites and services have become integral to all our lives, so has the need for bulletproof online security. This is why BlueModus® is adopting a “Secure First” approach to how we develop and host websites.

The most basic form of security on the web is Transport Layer Security. TLS is nothing more than the https:// instead of http:// web address and the little padlock icon in your status bar. TLS uses encryption to make sure that traffic between your computer and the website you’re visiting cannot be intercepted by a third party (the Bad Guys). TLS uses signed certificates for companies to prove who they are. These are signed by global Certificate Authorities such as Comodo, GlobalSign and Digicert.

The current industry standard for implementing TLS encryption is to only implement it in parts of the site that need to be protected. This would include payment forms, anywhere passwords are entered, and other private areas of the site. In many cases, even logins to the CMS aren’t encrypted, since the CMS itself doesn’t store any sensitive information. In other words, insecurity is the standard, and TLS encryption is the exception.

Our Secure First method takes the opposite approach. TLS encryption is implemented site-wide, and disabled selectively where necessary.

The obvious benefit of this approach is that configuration is simplified (everything is encrypted!), and there is far less opportunity for something important to be overlooked that might put your site or your customers at risk.

In the past, this wasn’t practical since every TLS-encrypted connection requires slightly more computing power than an unencrypted one. But as computing power has vastly increased, this is no longer a concern - with a modern server, TLS adds a mere 1% overhead to the connection.

BlueModus is certainly not the first to consider the need for site-wide security. Google, Facebook and other premier Internet properties have already adopted this approach. Furthermore, Google will be increasing the search ranking of sites that always serve content under TLS encryption, since it is far less likely that scam sites would be so concerned with security.

Site-wide TLS encryption may be impractical in some instances. A site may be forced to use a standard http:// if it is using any ad networks, CDNs or other third-party integration that cannot provide their own TLS-encrypted communications. But as the industry is trending to a Secure First model, the number of exceptions is dropping dramatically.

If your site isn’t currently built Secure First, it’s as simple as adding an inexpensive certificate to your web server, and performing an audit of your website to ensure all content can be delivered over TLS. With a Secure First site in place, you and your site visitors will sleep just a little easier, knowing that you’re making their security interests a top priority.

About BlueModus
Founded in 2001, BlueModus is a digital technology agency that has developed and integrated hundreds of dynamic, interactive applications for our global clients and agency partners, including: Bacardi Global Brands, Cisco Systems, Gap, Aon Hewitt, McKesson, Bayer Healthcare, Shire, Astellas and many others. Typically partnering with digital marketing teams and creative design agencies, BlueModus creates and supports robust Web applications and digital marketing initiatives.