CNN Money had a headline screaming: “Your Internet security relies on a few volunteers” today, reporting on the Heartbleed vulnerability. This inadequately engineered and tested update to the OpenSSL code was used in https implementations from companies including Instagram, Yahoo, Intuit (TurboTax), Pinterest, and Dropbox. A lot of sensitive information is saved on these sites, and it’s possible that hackers could have obtained passwords or security keys that were or could be used to gain access to that information. So it’s a serious topic.
But, CNN went too far in their headline, insinuating that everyone’s Internet security relies on volunteers. At least as far as Spendbot is concerned, our code, and the code of the servers and connections on which we run, was developed and tested by paid professionals at some of the largest companies in the world. When architecting our solution, we made the conscious decision to shy away from open source solutions in favor of proven, standard, commercial software. We arrived at this solution after talking with technologists who had responsibility for systems at banks, state pension funds, ultra-large enterprise operations, and the like.
We also made the decision to implement redundancies such as DNSSEC, which prevents man-in-the-middle attacks by checking every server along the connection path to make sure it is authentic, and not something inserted to collect information. So while many companies scrambled to notify customers to change passwords and look for evidence of hacking, we did not have to. That’s not to say we don’t believe there could ever be a vulnerability, but the nature of our implementation is that some very well paid professionals are testing and monitoring the platform continuously.
So rest assured your Spendbot data is safe- safer than it would be tucked in a desk drawer, folded up in your coat pocket, or stored in an advisor’s file cabinet.