We recently blogged about secure domains and how to assess whether or not your web project requires one. This article will give you tips on how to choose a marketing agency that will be able to provide you with a business environment that is truly secure. It is really important to evaluate and choose your team wisely; realizing your team could be a liability when the project has already started can be costly and risky.

All web development is not created equally

When choosing the team that will develop your web presence, cost should not be the primary factor. Spending what is necessary at an early stage can help you save in the long run. Likewise, web development and web security should not be an afterthought.

Here are a few things to look for in your web design or marketing vendor:

  1. They should be highly experienced at producing quality and secure code. This is a professional’s job and amateurs shouldn’t be trusted with such a crucial part of the project.
  2. They should be familiar with the most common exploits – a bug or glitch in your system that hackers use to their advantage to invade your domain – used to gain unauthorized access to your data.
  3. They should be familiar with code auditing tools. In the case that the code fails the audit, they should be able to understand why and fix the issue quickly.
  4. They should be familiar with passing audits of their hosting infrastructure. For this, your team should have total control over the infrastructure, or at least, a good relationship with the hosting provider.
  5. They should be accountable for issues that are raised under future audits. Indeed, new exploits are discovered on a continuing basis and no code is 100% protected. For this reasons, you need a solid ongoing relationship with your vendor. You also need to be sure that if a new exploit is found during a future audit, your vendor will be aware of it and be able to address the issues immediately.

Tips for choosing the right marketing team for your secure web development project

  1. Third-party auditor. If you do not have one, hire one; you should not rely solely on your marketing agency for your security audit. The auditor should scan the site as often as possible during the pre-deployment phase.
  2. Investigate common exploits and ask your vendor how they plan to defend against them. They should know what SQL Injections are and be familiar with Cross Site Scripting. A good question to ask the team is how they would prevent common exploits from being introduced in your site’s code. If they do not have a well-reasoned answer, we advise you to look elsewhere.
  3. The team’s experience. They should have been developing web software for quite a while and be familiar with security audits. If you give your prospective web team an example report from an auditing company, they should understand how to solve the issues raised by the audit and apply it to your business or domain.
  4. The hosting environment. If it is not hosted in-house, a good relationship with the hosting provider is essential.  It should preferably be hosted on a machine dedicated to your domain that host no other client and that isn’t being used to develop code. It is also preferable that your team has complete control over the machine and that they personally administer it. Ask where the server environment is located, what operating system is in place and what applications will be running your code. Finally, it is also important to know how often the server is patched, what firewall is in place, and how it’s managed.
  5. Ask if the web team is dedicated to your project. According to who you’re dealing with, the web team and marketing vendor can be in the same agency, but it may happen that the web team is outsourced on a project by project basis. This is very common especially if you’re working with a traditional marketing agency. If this is the case, you do not want to wait to find out if they will work well together, it is better to pick teams that have already collaborated on web projects. Keep in mind that advertising agencies outsourcing web development may pose a problem when it comes to accountability. Having a web team that is an employee of the firm makes it easier to build a trusting relationship with the developer, and improves turnaround on addressing issues, especially those that may arise after the site is in production.
  6. Direct access to website developers. Developer access is essential to quickly diagnose problems that need immediate attention. Therefore, domain security experts and auditors for your business need to be able to access the developers to discuss the issues that have presented themselves.
  7. Talk about the future. It is recommended that you have agreements with your vendor for support after the website is live, and make sure both you and the vendor are comfortable with the ongoing arrangement before work begins.