I was talking with someone today about whether races feel an obligation to keep their customer data safe. The conversation was triggered when I was talking to a small registration company owner and found they had many security vulnerabilities like their site being susceptible to SQL Injection, Cross Site Scripting, and lack of a security scan or regular patch and update procedures. Many assume their hosting or platform provider does this for them, but it is worth asking questions.
A simple question you can ask is what they do to scan for security vulnerabilities and the frequency of patches and updates to their infrastructure.
One of the constant battles in having a website is making sure your security is up to date and patches are applied. Most races simply do not have the resources to keep track of this, and many providers skip the cost and extra work of updates.
As an example, take a look at the CVE Twitter feed with over 50 vulnerabilities identified just today. CVE stands for Cybersecurity Vulnerability Exposure, and is an Internet project to identify security issues. These are potential problems with your race website, or maybe not.
RunSignup uses a product called Nessus that accumulates this and other data to then scan our servers to see if there are potential issues, and resolution patches available. We have a monthly process of updating our servers, and are audited yearly to prove we have done those updates.
As you can see from the numbers – the potential vulnerabilities are massive. Many are not applicable to any particular website – which is why products like Nessus exist.
As a race director, if you care about your customer data, you should be asking your provider what they do for scanning and updates.