Jul 07, 2025
Not long ago I was musing with a colleague that I thought that there should be a simple "Joel Test" style benchmark for corporate cybersecurity teams. For those who are not familiar with the Joel Test, it is a list of 12 yes/no questions that all software development teams should answer "yes" to. My colleague said that cybersecurity is too specialized and domain-specific for a general list of requirements. Yes, I know that there are frameworks like NIST CSF and ISO/IEC 27001, but those are elaborate and complicated. Today I got the idea to ask Claude AI for a Joel-style test for cybersecurity and I think that it came up with a great list of baseline practices that all teams should comply with. Here it is.
Looking at the Joel Test's principles, I can create a cyber security analog that captures the same spirit - simple yes/no questions that indicate fundamental health of a security program. Here's my "Cyber Security Team Test":
The Cyber Security Team Test
-
Do you have comprehensive asset inventory?
Can you answer "what systems do we have and where are they?" in under 5 minutes? Without knowing what you're protecting, you can't protect it effectively.
-
Do you monitor and log security events in real-time?
Are security logs being collected, analyzed, and alerting on suspicious activity 24/7? If an incident happens, you need to know about it immediately, not weeks later.
-
Do you have an incident response plan that's actually practiced?
Not just a document in a drawer - does your team regularly drill incident response scenarios? When something bad happens, muscle memory saves critical time.
-
Do you patch critical vulnerabilities within 72 hours?
Are you staying ahead of known exploits with a disciplined patching process? The window between disclosure and exploitation keeps shrinking.
-
Do you require multi-factor authentication for all privileged access?
Are admin accounts and sensitive systems protected beyond just passwords? This is your last line of defense when credentials are compromised.
-
Do you have automated security scanning integrated into development?
Are you catching vulnerabilities before they hit production? Security testing should be built into the pipeline, not bolted on afterward.
-
Do you maintain an up-to-date threat model?
Do you know what attacks you're most likely to face and have you designed defenses accordingly? Generic security is weak security.
-
Do you have network segmentation and access controls?
Can an attacker move laterally through your entire environment once they're in? Assume breach and limit blast radius.
-
Do you perform regular security awareness training?
Are your users your strongest or weakest link? Human error remains the top attack vector - train accordingly.
-
Do you have offline, tested backups?
Can you recover from ransomware or catastrophic failure? Your backup strategy is your ultimate safety net.
-
Do you conduct regular penetration testing?
Are you validating your defenses against real-world attack techniques? Testing assumptions is crucial.
-
Do you have security requirements integrated into procurement?
Are new tools and services evaluated for security impact before deployment? Security can't be an afterthought in vendor selection.
Like the Joel Test, this gives you a quick health check. A score of 12 is excellent, 10-11 is good, 8-9 needs improvement, and below 8 indicates serious gaps that need immediate attention.
The key insight from Joel's original test applies here too: these aren't the only factors that matter, but getting these fundamentals right creates a foundation for effective security operations. A team that scores well on these basics will be much better positioned to handle sophisticated threats than one that doesn't.
Apr 01, 2015
I was doing some anecdotal research about password security preferences and I was surprised to find that most of the people I talked to favored two-factor authentication (using Google Authenticator) over expiring passwords. My survey pool consisted of project managers who I think are pretty typical enterprise software users. Around half of them had not seen two-factor authentication until I showed it to them. The general attitude was that anything is better than expiring passwords — an opinion that I agree with.
Are my colleagues unusually geeky or is this a trend that other people are seeing as well? If you have experience, research, or intuition around this, I would love to hear from you. @reply me on Twitter: @sggottlieb if you have something to say.
Sep 05, 2014
We run our corporate marketing sites on Wordpress. It's not the perfect web content management system for us but, as long as we keep things simple, it does the job reasonably well. When we want to do something that Wordpress doesn't comfortably handle, we tend to use an alternative platform such as Marketo, UnBounce, or develop static web pages.
Wordpress is great, but one thing to consider when using it is that you make yourself a target to all sorts of hacker attacks. When planning server capacity, we need to accept that a lot of our traffic comes from bots trying to hack into WP Admin. There are three things about Wordpress that contribute to this.
-
Wordpress is by far the most commonly used web content management system. According to BuiltWith, 47.90% of CMS powered websites run on WordPress. The second most commonly used CMS is Drupal with 13.10%. Now I know that those statistics are not perfect but it is clear that Wordpress is head and shoulders above the competition when it comes to CMS adoption.
-
Wordpress is incredibly easy to identify. If you look at the source of any Wordpress generated page, Wordpress's signature is impossible to miss. Moreover, Wordpress makes it really hard to hide these tells even if you wanted to.
-
Wordpress is the "go-to" platform for people who know nothing about web development or security. While there are plenty of savvy WordPress developers out there, the majority of WordPress sites were built by people with no clue about security and operated by companies with limited technical know-how. Many of these sites were insecure from day one and only got worse as patching and other maintenance practices were neglected.
Put these three facts together and it is obvious why WordPress is the most attractive platform for hackers and botnets to attack. If you are a malicious hacker and want to get the most out of your efforts, you go after the biggest and most vulnerable target. And in that way, WordPress is a lot like Windows. Windows is everywhere because it is the go-to OS for people who just want a computer at a reasonable price. If you walk into a BestBuy/Staples/Costco to buy a computer, you will walk out with a Windows PC unless you have something else in mind. The majority of these computer shoppers know very little about managing their computers. These users will not keep their software up to date and will accept any dialog. Most of us have spent countless holiday hours removing adware, browser bars, and viruses from these computers.
Just to be clear: Wordpress and Windows are not inherently insecure. With conscientious maintenance, both of these platforms can be as safe to use as the alternatives. It as a sign of success for both Windows and Wordpress that they have earned the distinction of being prime targets for hackers. It is also a great opportunity for external software companies to market services to secure these platforms. The Windows security software market is already large and mature. The number of Wordpress security options is growing fast.
So my advice to everyone is to keep on using Wordpress if it meets your requirements. But accept that your site will be a target for hackers and plan for security. Work with Wordpress specialists (not designers who happen to know a little about Wordpress theming). Follow all the advice in the "Hardening Wordpress" page. Look into 3rd party services that help protect your site. Be safe
Mar 25, 2007
The PHP programming language has historically gotten a bad rap in the area of security. While the language itself has had some vulnerabilities, three other aspects have (in my opinion) played a larger role:
-
PHP is an easy language to learn so there are a lot of unsophisticated beginners with no awareness of security holes writing web applications on it.
-
The rise of PHP coincided with a rise in community content applications (bulletin boards, blogs, Nukes) where external, untrusted users could insert their own content with potentially malicious payloads.
-
The PHP programming community was a little late in adopting web application frameworks. Good frameworks provide the plumbing for a web application and take care of security holes so that the custom code that developers write doesn't have to worry as much about known hacker exploits.
Two of these three factors are rapidly changing. The PHP development community is getting more sophisticated from a technology perspective and frameworks are getting better and are becoming more commonly used.
I am seeing more and more articles concerning security on PHP developer websites and magazines. For example, there is a really good article on the None site about Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). It goes over how a hacker can inject malicious code into your site and how to protect yourself against these attacks. Here is a hint... never trust anything that a user enters. For more reading, check out Rob Miller's None.
If you have been holding back on using a framework, I would reconsider. Most of the PHP frameworks have filter components (The Zend Framework has their None. None has a User Input component) that disarms potentially hazardous user input. Tapping into the collective intelligence about security can free your own mind to building better, more effective web applications.