With the recent Heartbleed virus scare, developers must be more cautious than ever about maintaining strong website security. We offer three tips for improving the security of your Sitecore implementation:
When deploying a Sitecore solution into an environment for the first time, security teams rightfully want to understand how they can minimize the risk of a security breach. Starting with the Security Hardening Guide will reduce the footprint of the Sitecore application for attack, but here are several other practices you may wish to consider:
Audit Sitecore users
If your content authors are logging in from your Active Directory, existing retention and auditing policies will likely already catch employees and contractors who have left the organization, but what about user accounts created directly in Sitecore? Setting up a monthly or quarterly review of accounts – at least those that have been added as elevated admin accounts – would be a good place to start.
Encrypt data in transit
Sitecore is a web application, and as such wherever possible you should leverage SSL/HTTPS to reduce the chance of the interception of sensitive data in the content authoring environment or any communication between Sitecore and points of integration. If planned for from day one, SSL encrypted web services are no burden to the development team, but greatly improves the security characteristics of the application. You might also consider encrypting the connection to the SQL Server backend.
Tip: If your load balancer or firewall supports SSL offloading, take advantage of this feature to minimize the performance impact of SSL encryption/decryption on IIS. If you are not familiar with SSL offloading, check out this post.
Tip: If you do need HTTPS on some (but not all) of your website’s pages you might also want to consider the SSL Redirector module on the Sitecore marketplace. It allows serving of content items over HTTPS encryption by adding the template to the templates of the items you wish to be encrypted.
An application is only as secure as its code. When developing your solution, take advantage of the security rules built into Visual Studio Code Analysis and consider other tools such as ReSharper. While automated tools are great, there is still not substitute for peer code review and security and vulnerability testing.
Do you have any tips for ensuring that your Sitecore implementations are secure?