How does Umbraco’s security stack up?

Having a secure website is critical for both your customers and your organisation. Cyber security attacks are more and more common. This year 1350 cyber security incidents were recorded by Cert NZ between April and June alone, equating to $3.9 million in financial loss.

While the thought of cyber-attacks is scary, the good news is prevention is the key and there are many easy steps you can take to reduce the risk your website, and using Umbraco CMS is one of them.

Umbraco’s security standards

Umbraco is built on Microsoft .NET technology which means it benefits from a range of .NET security features not always inherent in PHP-based CMS systems like WordPress.

Umbraco’s security features:

• Automated Security updates (Umbraco Cloud)

• Automated HTTPS certificate (Umbraco Cloud & Azure)

• Hashed passwords

• Support for HTTPS

• Support for OAuth login system

• Possible to set-up password rules

• Possible to implement two-factor authentication

• Default log-out of back office due to inactivity

• Built-in security health-check

As well as doing regular internal testing, Umbraco HQ has an external security company doing thorough penetration testing of Umbraco CMS to detect possible risks. Once identified, Umbraco HQ remedies these and pushes out security patches and updates to the wider Umbraco community. These protection measures include those outlined in the OWASP top ten.

What about OWASP?

The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the security of software. It is an international collaboration between individuals and corporations that aims to standardise approaches to security and share knowledge.

The OWASP Top Ten are globally recognised as the first step in securing your website or application – all of which can be met by using Umbraco. The top 10 web application security risks* are:

1. Injection

2. Broken authentication

3. Sensitive data exposure

4. XML External Entities (XXE)

5. Broken access control

6. Security misconfiguration

7. Cross-site scripting XSS

8. Insecure deserialisation

9. Using components with known vulnerabilities

10. Insufficient logging and monitoring

If your website or application is built on Umbraco you can rest assured that the technologies of Umbraco CMS, the oversight of Umbraco HQ and wider Umbraco community, and the experienced team of developers here at Effect have got your back when it comes to web security.