Kai Esbensen, director of quality assurance at The Nerdery, discusses software security and website accessibility with Nerdery CEO, Tom O’Neill.
O’Neill: Most business leaders understand that the security of their company’s software can seriously impact their bottom line, but let’s start with accessibility – what does Web accessibility mean for business?
Esbensen: Revenue, for starters. When you’re designing a website and don’t specifically consider accessibility for people with limited visual, auditory, speech, neurological or cognitive abilities, you’re shutting out large portions of the population – and limiting your potential market. An estimated 49 million Americans – almost 20 percent of the population – have some form of disability impacting their access to the Web. The accessibility industry has a term for people without disabilities: “TAB” – which stands for Temporarily Able-Bodied. Let that sink in a moment. Everybody ages; all bodies degrade; abilities diminish. One of the best investments companies can make is to ensure that all users can access their website no matter what life brings. Plus, accessibility is just the right thing to do.
O’Neill: Socially responsible, check. Sound business practice, check. What are the legal angles of accessibility?
Esbensen: While government websites are held to legal standards on accessibility, no law exists requiring business websites to be accessible. Yet. However, there’s a growing movement advocating for the adaptation of existing regulations – like those found in the Americans With Disabilities Act – to cover online businesses. One strategy used by this movement is to establish a legal “Web accessibility ruling precedent” through civil lawsuits against businesses with inaccessible websites. Meanwhile, the World Wide Web Consortium has created accessibility guidelines called the WCAG 2.0, which carry no legal weight, but are more stringent than guidelines in Section 508 of the Rehabilitation Act.
O’Neill: What can companies do to make sure their website, mobile app or business system is accessible?
Esbensen: Starting from scratch, build your website with accessibility as a driving factor. Consider the accessibility features of CMS, plug-ins and third-party add-ons. Make sure Web content is well-organized and can be efficiently interpreted by screen readers. Include alt-text for all images. For users unable to use a mouse or trackpad, be sure that all content can be accessed with the keyboard alone. These examples are the tip of the iceberg and are in no way comprehensive. For existing websites, our QA team can offer a quick high-level audit or an in-depth analysis, both of which cover a broad spectrum of users. If a site doesn’t conform to WCAG 2.0, we can educate companies on how to get there.
O’Neill: In the world of security, what kind of vulnerabilities should business stakeholders be concerned about?
Esbensen: Social engineering. Even with the tightest security protocols in place, if employees aren’t properly trained in how to identify attacks, how to behave, how not to behave, then it’s all for nought. Consider the Trojan Horse – the actual wooden horse used by the Greek army to fatally trick defenders of the city of Troy into letting their guard down. Troy’s gated security held firm for years until it was undone overnight by the hubris of the people charged with maintaining it. There’s a reason an entire class of malware was named after the Trojan Horse. Gates are only as strong as the people holding the keys.
O’Neill: How does social engineering relate to quality assurance?
Esbensen: There are two attack vectors which affect nearly every application: user access vulnerabilities and malicious code execution. Both rely on the psychological dance of social engineering. When user-access vulnerabilities are exploited, the attack generally accesses a user directly through a trusted application. Malicious code execution is similar in that the user is often targeted and therefore, trust is exploited. Malicious code is commonly seen on popular blogs, lurking behind clickable pop-up ads, page redirects and cookie stealing.
O’Neill: What can companies do to make sure their website, mobile app or business system is secure?
Esbensen: Our QA security Nerds can help by running a vulnerability assessment and/or a penetration test. A vulnerability assessment identifies, quantifies, classifies, prioritizes and reports all known vulnerabilities on a computer system, website or network. While vulnerability assessments simply report on whether a known vulnerability exists, a penetration test determines whether that vulnerability can be exploited, allowing for unauthorized access to critical systems and files. However, no system is 100 percent guaranteed secure. Security is a moving target and threats and risks change as technology changes. Businesses must remain vigilant about maintaining and improving their security posture.