The website strength and vulnerability checklist

The average website includes components from eight or more different hosts, which help drive traffic, increase conversions and improve customer satisfaction but also increase complexity and page weights that decrease site performance and compromise the customer experience. Use this checklist to assess the strength and vulnerabilities of your website.

If anything goes wrong with your website, only one party will get the blame: you, as the owner or operator of your organisation’s website. Your site, however, isn’t entirely your own. To deliver the functions and features visitors expect, your site is actually a composite of your own resources plus numerous third-party web components, such as:

• Content delivery networks (CDNs)

• Site search functions

• Shopping cart and payment processing functions

• Advertising networks that may provide revenue for your site

• Multiple social networking connections and communities

• Ratings and reviews for gathering feedback

• Web analytics.

In fact, the average web site includes components from eight or more different hosts. While these components help drive traffic, increase conversions and improve customer satisfaction, they also increase complexity and page weights that can decrease site performance and compromise the customer experience.

The business impact? As page load times increase, so do abandonment rates: Increasing load time by just two seconds raises the abandonment rate by eight percent. And, user expectations become more demanding every year. According to Forrester Research, in 2009, users expected pages to load in two seconds, half of the four-second load time they accepted in 2006. Worse, Compuware anticipates that by 2012, users will insist on another 50 percent reduction to just one second.

It’s not enough to control the factors within your firewall; you must be able to mitigate the risks imposed by all of your third-party partners, any one of which could weaken your site’s performance or even take it down.

Here are several key success factors for using third parties effectively and a checklist you can use to assess the relative strengths or vulnerabilities of your own site:

1. Set business and performance goals

First and foremost, adding third-party web components are as much a business as an IT decision. Before you adopt new components, consider your goals: What kind of user experience do you want to create and how will that experience contribute to your bottom line? Your overall sense of purpose will guide the selection of components that could add value to your site.

Once you have features and functions in mind (videos, social networking connections, shopping carts), you have some homework to do that will put your site on a more secure foundation.

• Baseline your site’s performance first: To understand the impact of third-party web components, you need to measure the performance of your site as it exists on its own. A one-time snapshot won’t be enough; measure performance at all hours of the day and night for at least two weeks to a month and from different geographies. To understand your site within the context of your users’ expectations, benchmark your site’s performance against your competitors’ sites as well.

• Weigh benefits against risks: Every new component will increase the size and complexity of the web page, compromising download speeds. That’s why you need to weigh the upside advantages of new features against potential downside compromises in performance. Will a new component make a meaningful contribution to revenues or customer satisfaction? How often do you anticipate customers actually using it? Does the speed-to-market benefit outweigh the risks of performance delays?

• Look under the hood: Sure, an SLA is a start, but a performance guarantee is only as good as the party that makes it. Ask yourself (and the vendor) the tough questions: Is there usage, outage and performance data you can review? Do your competitors and/or comparable websites use the component? Is this a function that tempts you with competitive advantage, but could bring risks? Or, is this an established component, such as Yahoo! Shopping Cart or Google Analytics, with a stable track record?

2. Create a mitigation strategy

Your “Plan A” is only as good as your “Plan B,” the processes you put into place to ensure successful implementation and continued functioning of third-party web components. You can significantly reduce risk by:

• Benchmarking response time and availability of each third-party web component before signing contracts

• Testing components before launch in multiple phases and under various conditions.

• Devising fast-fail programs that secure the functioning of your overall site, even if any one particular component should crash

• Considering redundant services for the most critical features of your site, such as your shopping cart.

3. Don’t forget to mobile optimise it

What do mobile device users expect from your web site? According to data from Equation Research, 71 percent of mobile phone users expect web sites to load as quickly on their mobile devices as they do on their desktops. When you enter the mobile world, you must strike a balance between the functionality your site needs and the performance your users demand.

• Minimise third-party content: Every additional component increases the page size which, in turn, increases load times.  When you develop mobile sites, retain only those components that add the most value.

• Lose weight: Limit the number of hosts, connections and requests.

• Think CDNs: CDNs help accelerate performance by providing content from locations closer to your end users.

4. Adopt a customer point of view

When it comes to performance, what you see is not necessarily what they — your end users — get. Because most sites today are a composite of resources from within the site server’s firewall and third-party web components outside of it, the end-user experience is shaped by factors that cannot be measured from the backbone alone.

In fact, backbone monitoring only provides part of the picture because it tests from high-speed servers located on the internet backbone. Unless you’re measuring the performance experience of end users on consumer-grade PCs at the edge of the internet, you will fail to account for the performance of all the third-party web components that contribute to your website.

To get an accurate assessment of performance, you need a testing strategy that adopts the customer’s point of view and reveals what they experience at the very end of the last mile. A meaningful monitoring program includes:

• Targeting of key transactions: What your users do, such as product search and payment processing, that merits precise testing to measure performance of key transactions that are critical to your business

• Evaluation of multiple locations: To deliver consistent performance worldwide, you need insight into end-user experiences across the globe

• Accounting for front-end performance: Many functions that used to be fulfilled on the server side are now executed on the front-end – the devices and browsers customers use to access your site.

Be sure you test performance across multiple device types (i.e., desktop vs. mobile) and browser options.

5. Manage third parties carefully

Once you’ve selected third-party web components for your site (based on business objectives) and have pre-tested them to assess their potential impact on performance, the real work begins. Even though vendors may be contracted to maintain certain standards, it is ultimately your vigilance that will ensure those standards are met.

Your homework…

If you are not able to answer “Yes” to at least 12 of these crucial performance questions, it may be time to give your site’s performance a closer look.

1. Do you know how many third-party web components are on your web and mobile pages?
2. Do you understand how your third-party web components contribute to the business goals of your site?
3. Can you assess the potential performance compromises new components may impose?
4. Have you created a baseline of your site’s performance against which you can measure future changes?
5. Have your vendors shared usage, outage and performance data with you?
6. Are your competitors using the same, or similar, third-party web components?
7. Have you benchmarked the response time and availability of each component?
8. Have you tested each component before deploying it?
9. Are fast-fail programs in place to protect your site should any component crash?
10. Do you have redundant services for the most critical features of your site?
11. Have you optimised your mobile site to decrease page loads?
12. Do you have CDN partners who can distribute content from servers closer to end users?
13. Can you track and measure the performance of the key transactions on your site?
14. Can you evaluate performance at multiple locations worldwide?
15. Do you know how your site performs across different devices and browsers?
16. Are your SLAs based on measurable and objective levels?
17. Are you measuring performance over all loads and across all markets over time?
18. Do you share rich performance data with your third-party partners and within your organisation?