In this industry there is a growing and needed focus on security. There is
always the threat of viruses, spyware, worms and hacker attacks. Many people
feel that the larger companies are more vulnerable to attacks than small
businesses. In truth, however, it’s often the other way around.
As a hosting company we do what we can to mitigate network intrusions. We
feel it is our responsibility to offer these services as part of our base
products. I used to get a kick out of companies announcing that they were now
offering SPAM protection on their mail servers. Wouldn’t you do that by default?
That is why MaximumASP invests in its network security using intrusion
prevention systems, enterprise firewalls and virus protection. We literally
block hundreds of thousands of possible attacks every hour coming into our
network.
Many people think that if these tools are in place they are safe from the
possible threat of being hacked. These systems simply protect the network but
there is another side that many people do not think about or address. It is
application security. It is important that people understand that the way an
application is written must also be secure. There are many vulnerabilities on
the application level that we see.
It is impossible for MaximumASP as a hosting company to throw some hardware
network device up and protect from these types of attacks. The only way to
prevent someone from taking advantage of these vulnerabilities is to correct the
issues within the code itself.
Some developers are not aware of these risks. A SQL or Code injection,
according to Wikipedia, is “a technique to introduce (or "inject") code into a
computer program or system by taking advantage of the unenforced and unchecked
assumptions the system makes about its inputs. The purpose of the injected code
is typically to bypass or modify the originally intended functionality of the
program.” The functionality most often bypassed is system security. Cross-site
scripting attacks have been used most recently in phishing schemes.
Here are some tips to help you avoid the potentially disastrous effects of
some of these attacks:
- Never trust any type of client side input. This means forms such as HTTP
POST data, parameters set within a URI (HTTP GET) or cookie information.
- Always filter all un-needed characters from all client side input. This
is especially true for any type of special characters. The following are
characters that should never be allowed to pass in any client side input:
- | (pipe sign)
- & (ampersand sign)
- ; (semicolon sign)
- $ (dollar sign)
- % (percent sign)
- @ (at sign)
- ' (single apostrophe)
- " (quotation mark)
- \' (backslash-escaped apostrophe)
- \" (backslash-escaped quotation mark)
- < > (triangular parenthesis)
- () (parenthesis)
- + (plus sign)
- CR (Carriage return, ASCII 0x0d)
- LF (Line feed, ASCII 0x0a)
- , (comma sign)
- \ (backslash)
- Include the URL encoded value of all characters you are filtering. For
example the ‘ (single apostrophe) is equal to %27 when url encoded. The &
(ampersand sign) is equal to %26 when url encoded. The URL
http://example.com/example.asp?test=test’or%201=1%20-- is the same as
http%3A%2F%2Fexample.com%2Fexample.asp%3Ftest%3Dtest%E2%80%99or%25201%3D1%2520—
- If you are going to pass any authentication information from your client
to server SSL must be used to protect your data.
- Session cookies values should be very long and random. If your session
values are easily guessed it is possible for an attacker to guess the value
and steal or alter a session.
- Authentication information should not be passed within a cookie. Cookies
can be stolen from a client’s system and used to authenticate just like a
username and password.
- Application Session cookies should expire on logout or after a short
period of inactivity.
- Remove all developer notes from production code. Often developers leave
comments and notes within code that could be of use to an attacker. This is
fine during development of an application but before this code is viewable
to the public these notes and comments should be removed.
- Enable custom error messages at your webserver. Custom error pages allow
you to remove the default error pages that could help an attacker learn how
your system works.
- Always protect administrative or management URL’s with authentication
and SSL. Never rely on hard to guess or hidden files or directories to
protect these pages.
- If authentication is required for a web application always require
strong passwords and ensure these passwords are being stored on your system
in a secure method.
Web Application vulnerabilities like SQL injection, cross-site scripting and
brute force attacks are the number 1 way we see customer accounts compromised on
the MaximumASP network. If you follow the simple rules above when developing
your webapplication your chances of becoming compromised are greatly reduced.
October 7th, early evening
Post in
We spent the last few months redesigning our site to make our products and services easier to find and understand. Our new site provides two entry points for visitors, guiding them through the process of learning more, or taking them directly to a specific product of interest.
Please visit our new website at www.maximumasp.com today to learn how our services and new offerings can help you grow your business. Our website will continue to develop over time, incorporating your feedback and suggestions. It is our intention to provide our customers with the most valuable information and resource tools available. Please send feedback regarding the website to marketing@maximumasp.com
June 22nd, late-afternoon
Post in
So why would I be taking time to write a post about us having redundancy and
it actually working right? Well, it's pretty simple really. In the
hosting business, there have been several incidents over the years where all of
the promised redundancies did not work as they should and customers were left
offline for extended periods. Times where transformers blew up and there
was no backup power source, generators sat with their diesel engines locked up
due to no one test firing them on a regular schedule, or UPS systems that were
overloaded and failed as other back up systems attempted to come online.
Last week, it was very satisfying to watch all of the systems we tout here at
MaximumASP work exactly as designed, and you the customer experienced absolutely
no downtime.
On Thursday, June 14th, at approximately 12:15PM EST the utility supplier to
Louisville, Kentucky experienced a significant transformer failure in a
substation that is in the same grid as the MaximumASP data center. This
failure forced other parts of the grid to attempt to carry the load of failed
section. This was too much for the remaining sections to handle and they
began to cascade into a blackout condition. As this reached the MaximumASP
data center, the UPS systems carried the full data center load as the power
bucked 3 times in a 10 second span. As the UPS carried the load, the
Automatic Transfer Switch (ATS) sensed the supply change and fired up the 2
megawatt generator. As the generator synchronized cycles with the existing
electrical load, the ATS shifted power to the generator. We remained in
this state for almost 1 full hour, until power was restored from the utility.
Less than 1 hour after power was restored by the utility, the transformer
failed again. Like clockwork, the UPS's, ATS and generator engaged, and we
switched the generator to manual mode allowing us to run it continuously until
we were confident that the problem had been completely rectified. We
actually ran the unit until 6PM EST that evening making our own power, and
allowing the diesel refueling trucks to come in and replenish the fuel tanks as
the generator was running.
All is normalized now, but I thought that some of you might be interested in
all that went on behind the scenes on Thursday as your servers, switches, SANS,
and disk arrays hummed along without skipping a beat. It is certainly nice
to see these complex support systems work as they were designed to, and
hopefully this provides further reassurance that you made the right choice in
selecting MaximumASP as your hosting provider.
June 18th, late-afternoon
Pardon our dust as we roll out a new look for the weblog and our public site
June 10th, dinner time
From the desk of Wade Lewis:
Over the years hosting has gone through many changes, both in the types of services offered and the relative price points for each level of service. Remember when dedicated boxes started at $400 per month, and bandwidth pushed $500+ per Mbps? In those days, the gap between shared and dedicated could be a wide one, and without stepping stones like Virtuozzo, VMWare, and Virtual Server to form an intermediate step both in price and management toolset, many users were hesitant to make the jump.
Fast forward to the present and look at where things stand. Dedicated servers have dropped in price to less than where high-end shared platforms used to be, VPS plans using virtualization technologies from any number of vendors are now priced often times where mid-level shared account used to be, and some companies are still trying to make a buck on sub-$10 per month shared accounts despite pressures from GoDaddy, Google, and Windows Live initiatives.
I spend a part of each day scouring blogs and forums looking for other operators’ thoughts on running a hosting company. One thing that many veteran and rookie hosting providers echo is, “margins are slim, everyone seems to be commoditizing the industry, how am I supposed to compete?” These observations are not far off base if you are looking at the current hosting marketplace strictly by the numbers. Even I shake my head sometimes when performing cursory margin analysis, on a purely speculative basis that is, on competitor plans. I assume that many of these folks are pushing overselling to the limit, are firm believers in the “loss-leader” concept, or are hoping that none of these individuals are going to ever actually need support.
So, as has been mentioned time and time again, the way to differentiate yourself is through customer service and customer experience. I think that two proofs of this theory come from ourselves and from a competitor, and interestingly enough, prove the theory from completely different angles. MaximumASP has been in existence since 2000, in that almost 7 year span, we have maintained almost 99% retention of our clients. How did we do it, support, support, support, and reminding ourselves daily that these folks are who are paying our salaries. This number is one of the most important indices off of which we base our success and value as a company, and it seems to be working. On the flip side, let’s take a look at some of the problems faced with customer service changes (particularly a decrease in quality) when companies merge or are acquired. The current debacle in Houston and Dallas is a prime example of where two solid companies, not perfect companies, but solid business models with solid support in general, are consolidated and customer support suffers. It would appear from research in the last couple of months that customers are being churned out at a rapid pace, and new customer acquisition is likely suffering as word spreads (all of this is speculative and garnered through reading customer comments on the Web).
So support is the key to retaining clients, but how does it attract clients and how do you articulate it to those folks that do not have any first-hand experience with your company? Herein lies the biggest challenge for marketers on the payroll of hosting providers that truly offer quality support and service for their clients. How do you articulate the value proposition, the level of support, and the quality of infrastructure that a potential client will be receiving in a space that is 120 pixels by 30 pixels, or 400-odd pixels by 80 pixels? You can’t, and that is why you see so many hosts default to the flashing “Dedicated Servers Starting at $39.95!!!” Do we have to use price as a primary decision factor when we have all of these other great things going for us? No fair! In this constant limbo game of how cheap can a plan go, do customers understand that quality does come at a price? I would argue that many do. I would also argue that many do not. It is easy to say you have great infrastructure, that you have great support, and that you use quality equipment, but all of these things cost money, and those expenses must be built into the price point. So going back to support, want to know what one of our largest expenses is, and in turn one of the largest cost contributors to your hosting plan’s price here at MaximumASP? Data center? Close. Connectivity? Close. Personnel and Training? You got it, and that is what provides the support that makes us different from the guy that is half the cost, and what we are counting on making you a long-time customer. We have watched many of our customers grow from $2400 / year customer to $24,000 / year customers and that certainly proves the business case for treating every customer right, particularly when the lifetime value of that single customer could easily hit six-figures!
April 11th, mid-afternoon