Today our largest competitor was compromised. Their website was deleted, service interrupted, and their database was downloaded by the attackers. Many of their customers are left wondering whether their credit card numbers have been acquired, with some already contacting their banks.

We’re sad to hear about the compromise and wouldn’t wish this on anyone, even a competitor. We hope that they will quickly recover from this incident, that their customers’ personal information won’t be released publicly or used maliciously, and that the necessary precautions will be taken to lessen the likelihood of a similar re-occurance.

And while nothing is ever 100% secure, I wanted to reassure our customers that we take security seriously. We’ve never had a breach in either our software or hardware. Here are a few things we do that stand out to me in light of the issues we learned about today.

1. We own all the servers that run our websites. They are literally just down the hall from my office in secured cabinets, inside a secured cage, inside a secured room. This means there is no hosting company that could be tricked into voluntarily giving an attacker access to our machines, and only a select trusted number of people have any kind of physical access to the hardware. I can count them on 1 hand.
2. We go by a single role per server rule on the servers hosting customer data. Corporate email, web, and database servers are completely separate. Each is only running the necessary ports to perform their jobs. Each are backed up independently.
3. In terms of software, the server running our instance of Blesta runs only Blesta. Our forums and front-facing website runs on different hardware.

The server hosting blesta.com is not currently single role, but it has been planned for the past several weeks. In light of the issues with our competitor today, I’m fast tracking the cutover for this. Even so blesta.com’s only interaction with customer data is via a limited access API, not direct database access and it’s on a different physical machine.

We have always taken security seriously, in v2.x, and even more so in v3. It’s a two part issue though — software and hardware.. you’ve got to have a grip on both.

There’s more I could say about the things we do to protect customer data, but I’ll leave that for another post.

Just my thoughts.

Paul

Tags: secure | security

I got hit with something last week, not quite back to 100%, but almost. I hope you are faring better than me, it’s never fun being sick.

This week I wanted to show you the coupon system. Early on I assumed we would implement the coupon system as part of the order plugin. Instead we implemented the coupon system as a core feature. The reason for this was simple: The introduction of recurring coupons.

The coupon system now supports the following:

1. Recurring & one time coupons.
2. Inclusive & exclusive package rules.
3. Value & percent discounts, in multiple currencies.
4. Start date, end date, and quantity limitations.

Recurring coupons were highly requested. Often times multiple packages would have to be created to bill clients custom prices. This has been resolved in two ways with v3 — recurring invoices, and recurring coupons. Massive numbers of packages are a thing of the past.

It’s now possible to have a term or quantity based promotion for the life of the service. If the coupon is recurring, Blesta will automatically apply the coupon to the invoice when the service renews. In addition to that, coupons may apply to any packages assigned to the coupon at order, or may require that all packages assigned to the coupon are ordered at the same time. (Get 10% off when ordering Bronze Hosting and a Domain Name, for example).

The video is below, as usual you can make the video full screen, and be sure to turn on your sound. I think I sound normal again. :D

Tags: blesta 3.0 | coupon | coupons | recurring | version 3