Search Go hack yourself with Detectify

An EASM blog from Detectify

Pär Stålberg, Ottoboni: “As an agency, you don’t want a site you have built to get hacked”

September 29, 2016

Ottoboni is a Swedish web agency with an impressive list of customers including some of the country’s largest companies and government authorities. Today, the agency runs Detectify security tests on the websites of some of their most security-aware customers. Pär Stålberg, senior digital production manager at Ottoboni, believes that security will grow to become a natural part of all customer dialogues. He emphasises that agencies have an extremely important role in introducing customers to web security and educating them in security matters.

Ottoboni logo

When did security become an important part of your job?
Security has been a large part of my work for the past 3-5 years. I have worked with customers that already had an innate sense of security from the start, but even they have made great strides over the years. Their security awareness has increased considerably, most likely as a consequence of current events and threat assessments.

Overall, people are beginning to be more careful. In the past, websites weren’t as important as they are now; a site could be down for a while and nobody would really care. That has changed.

What do your dialogues with customers look like when it comes to security?
New customers ask a lot of questions about security. Certain types of companies, like banks, naturally have plenty of security questions, but the majority of our customers rely on us when it comes to security education.

Compared to the dialogues we have had with customers about SEO or mobile, security develops much faster. There’s also a lot of money at play in web security. Nobody wants to be hacked. As an agency, we don’t want to a site we have built to get hacked. It could have a devastating effect on our brand.

Why is it so important for agencies to lead the security dialogue?
The arguments for security usually come too late, once you’ve already been hacked and at that point, your brand might already be destroyed. Security breaches and password libraries are in the news every day and as a company, you certainly don’t want to end up in that situation.

Sometimes people don’t understand how valuable security is. They build campaign sites with “cowboy code” and don’t consider security at all, then forget about the vulnerable website. It is really important for agencies to offer help and guidance.

How do you use Detectify?
We run Detectify on the websites of a few of our customers who are particularly aware of security. The service runs in the background on most of their subdomains and domains. The reports have been really helpful, but we are now planning to step up the way we use Detectify.

I think the best way to work with Detectify as an agency is to offer it to customers as a retainer. You can use the reports to help you decide how much time needs to be set aside to work with the results.

What are the main benefits of using Detectify?
The peace of mind. We want a stable foundation of security to prevent breaches, and for us, Detectify serves as a good basis, making us feel more confident in our sites’ security.

We often find vulnerabilities with Detectify’s help. Many of them are security issues that weren’t created by us, but are, for example, a CMS that needs to be upgraded to a newer version. This type of overview is something we couldn’t achieve manually.

What is your favourite Detectify function?
We use the Slack integration to get all the test information pushed to Slack and it’s great. I have been using Detectify for a long time and many of the features we have discussed over the years are now part of the service, for example Teams and Scopes and Targets. Your responsiveness is what makes Detectify even more interesting, it’s fun to be involved in product development as a customer.

What do you say to developers who use Detectify?
Sometimes developers are reluctant to test their own code, but I often say that if you test the site and fix the security issues, you have really achieved something. It’s like a validation of your skills.

It’s impossible to keep up with all the security news if you’re working with production – staying on top of new vulnerabilities is a full-time job in itself! Instead, Detectify takes care of that for us with the help of their researchers.

Read our blog post about why agencies should work with security and how adding security to your offer will make you stay relevant while increasing revenue and customer loyalty.

Would you like to use Detectify to stay on top of security like Ottoboni? Register for a free trial to evaluate our tool!