• Home
  • Blog
  • Strong security doesn’t happen by accident

Strong security doesn’t happen by accident


The security of your website is just about the most important issue you will encounter on your project, yet it’s also frequently given the least importance, and is the least understood.

There is a well-known psychological theory by Abraham Maslow which organises a series of human needs into a pyramid, starting with the most basic yet necessary (such as air, food and water), finishing with the more desireable, yet less necessary for survival (for example, self actualisation). A similar pyramid might exist for any digital project, starting with reliable, solid hosting - nothing else matters if your site isn’t online.

At the second level in that pyramid you’d probably find Security. After simply being “on”, a digital property needs to ensure the information it contains is secure and safe from attack. For this reason, Komodo Canvas has a significant number of security improvements over standard Drupal that make it much less likely to suffer an outage due to a security incident.

One of the most common compromises is a simple account hack. This usually happens when a user with a known or easily guessable username also has an easily findable password. This may be because the password is available via a Rainbow Table, or simply because it’s dead easy to guess (e.g. “password”, or “abc123”).

One way of reducing the risk of this kind of attack is to use Flood Control to limit the number of times a password guess can fail before the account or IP address is blocked. We limit the number of failed login attempts per user to five every 24 hours and we also block a host after 50 failed attempts. Some organisations may want to tighten these restrictions or add new ones, and these are easy to configure through the user interface.



The other principle control is the use of password complexity rules to ensure that simple passwords don’t exist in the first place. We add a rule that requires all passwords to have a base level of complexity and expire after 90 days. This is sufficient for the majority of sites, however should you have stricter rules in your organisation, or different rules for different user groups, then this is simple to set up as well.

These are just some of the many ways in which Komodo Canvas provides defence-in-depth against common security issues.

If you’d like to know more about how Canvas protects your data, please
get in touch.