SafetyDetectives spoke with Sergii Savchenko & Ivan Samokhin, the CO-founders of PineDev, to discuss how they started the company, cybersecurity methods they use to secure a client’s website, a preferred CMS, tips on what to do if your website is hacked, and more.
Hi Ivan and Sergii, can you talk about your background and your journey to becoming the co-founders of PineDev Studio?
Sergii: Thanks, with great pleasure! This journey started back in the autumn of 2014. I’ve just graduated from university, gaining a Master’s degree in Computer Science. At this point, I was already actively freelancing for about 3 years. So I had some experience, a bit of portfolio, and a number of active clients who started overwhelming me with the amount of work that I couldn’t handle myself. Not that I was a lazy person – during the university I handled both studying and also working 30-40 hrs per week. Which left me with little time to sleep, though.
Ivan: We were friends since high school and I’ve just graduated from college in a similar field. I had one local client of mine but I also knew Sergii sometimes had more work than free time. So I thought – why not help us both?
Sergii: Yeah, so on one of the rare occasions when I had a chance to meet with him, he seeded an idea in my mind, that would solve my work overtime problem (but, of course, would also solve his need in finding clients, you know). On the course of a few more beers we sketched a rough plan of action, and next week we were looking for an office.
Ivan: We started really small, as a group of freelancers. All of us were coding, aside from any management and sales work. Having a degree gave us a lot of false overconfidence, so we’ve worked with almost any kind of technology that we could get our hands on. This was a rough start, but it gave us the priceless experience of solving problems from the ground up.
Sergii: Did it solve my sleepless nights’ problem? Of course, not. Was it a lot of fun? Hell yes! We’ve learned almost every piece of business management routines the hard way. Including minimal safety and security measures that everybody should take. Still, I value this experience much more than what I’ve gained from reading books. This is the understanding that just carves in your memory because you know the downsides of a possible outcome.
I see you both have a CEO title – is there a reason for it?
Sergii: Well, yes. As Ivan mentioned, we were covering several positions at once, when we started. There was much more “executive” part to our job than one could handle without specific education (remember, we are former developers, not managers). And somehow it turned out that activities were separated organically between us – based on our background and mood.
Ivan: Yup, having the right mood for the task is very important. We’ve switched roles from time to time, it also helps to have a fresh look at things. The wonderful thing is that we’ve never had an issue finding a consensus. I think we both value it a lot.
Sergii: Definitely! So this is how we both became CEO, and so it stays.
What are some of the main services that PineDev offers?
For over four years now, we are focusing on a particular list of services. Narrowing it down was another valuable lesson to learn, by the way.
We provide web design services (strictly in Figma, our primary tool) and web development services in WordPress, Laravel, Vuejs, and node.js. WordPress is a great tool for small to medium sized projects and the latter three are used for more complex projects.
How do you secure the web apps and websites you develop to prevent hackers from stealing customer data?
First and foremost, you should look at where you put your websites. Selecting a trustworthy partner/provider for handling the part of the job that you don’t do – is very important. It’s important to be sure that the hosting or server provider has their security level up to the current standards. Otherwise, no other security measures would matter.
Also, it’s important to use secure payment providers and never store clients’ payment data. It should be understood that securing payment data is a task that could hardly be handled by not only small to medium businesses but also most of the bigger companies. The precaution of removing the temptation to steal data is something that people usually underestimate.
On our side, we secure the data by using SSL/TLS encryption, enforcing password rules for any kind of accounts (server-side and user-side), ensuring regular change of passwords, using proper random salts for hashing algorithms, closing any unused routes, changing default authentication routes to custom ones, properly using security tokens for data submission, applying all the critical software patches as soon as they are available, etc. The goal is to get the maximum use of security reinforcements provided by the creators of the technology and minimize the number of access points provided out-of-the-box thus known to potential attackers.
Having regular backups of the website is also very important. Ideally, these backups should be done on a server level and stored elsewhere to eliminate the possibility of somebody interfering with them through the website itself. Remember, the costs of not having a backup when you need it are much higher than paying a small extra for enabling a backup service.
When it comes to developing websites, which is more secure a custom-built site, or one using a CMS like WordPress or Drupal? And do you have a preference that you recommend to your clients?
We develop both custom-built sites (based on the Laravel framework) and CMS-based websites, so we are aware of both cases. In a vacuum, both kinds of websites could be made almost identically secure. In a real-world situation, CMS-based websites have a tempting option of installing plugins for any small feature you might want. This makes them vulnerable to situations where site owners install an unverified plugin right on their website. In a lot of cases, the human factor is the most dangerous and insecure part of the system.
This is why it’s always better to have fewer options that allow code customization right within UI. For example in Laravel-based websites, users would have only those UI options that are specifically developed for the project. This ensures full control over the security level for these inputs. For WordPress, this can be improved by using Bedrock boilerplate that limits the administrative actions available in UI and also changes the project structure for better security.
What can a business owner do if their site or app is hacked? How can they regain control and secure their data?
The first thing to do is very well described in the Hitchhiker’s Guide to the Galaxy – DON’T PANIC. One should never satisfy the demands of the hackers if any are provided. In most cases, paying money to hackers will not help you regain control of the website or data. Better invest this money in someone with technical skills to help.
The next step to take is to consult with the hosting provider if they can help with restoring the website access. If they don’t, then you need to proceed on your own (or with the help of a tech specialist). The particular set of actions might differ depending on what kind of hacking was done, but there is a generalized list of actions to take:
- If you’ve used your computer to regularly update the code of the website – run an antivirus scan of the computer first.
- Update all the passwords related to the website: hosting account passwords, FTP passwords, database passwords, etc. Update every password that seems related – there is never “too much” paranoia about passwords. Don’t store these new passwords in your password manager (at least for now). It might be corrupted as well.
- Make a backup of the website in its current state (for investigation purposes) and store it somewhere safe. It shouldn’t be executable or accessible from the public web.
- Find the oldest backup of the website, that still makes sense in terms of content. If you have an e-commerce website – don’t worry about lost order data at the moment, you need to restore the website to an operational state.
- Restore the backup and update all the admin account passwords.
Hopefully, at the end of the list, you would have an operational website. The next step would be to apply all the security patches that you’ve missed and to have someone look at the hacked version of the website. The goal is to find the malicious code, and verify that this code doesn’t exist in your freshly restored backup. Any actions with hacked code must be done in a controlled environment that is not connected to the web.
You can try manually extracting parts of the data from a hacked version to restore it over the older backup that you are running. But this should be done with great caution by someone who understands which pieces of data might be hiding harmful code.
You must find the thing that allowed hackers to gain control of your website. Otherwise, you can’t be sure it will not happen again.
After the control is regained and the security breach is fixe, you need to send a shout-out to the users of your website about the incident. It’s always better to be that person who tells your customers the security breach happened and was fixed, rather than leave it to somebody on the web to figure it out on their own and make a scandal.
What are the three most important things you need to know about a client when you start designing and developing their websites and apps?
The three most important things we need to know about the client at the very beginning are:
- They have a clear understanding of the goal they want to achieve.
- They are ready to trust us to do our part of the job.
- They are ready to do what is good for achieving their goal, no matter if it satisfies their vision of getting to this goal or not.