Web Development, Security Tips
I was recently sent a great, core security video, and while these are aged tips, they remain extremely important.
1) Input Validation: Check ALL user input!! Be certain of: type, format( and associated vulnerabilities), length, and range of valid input charters. Logically, white listing provides more control than black listing.
2) Header Information: Please remain aware: header information is visible, be conscious of your plaintext! Do not base logical decisions off of header information either, as it is likewise easy to modify. Verify your parameters, server side!
3) Server Validation: While client side validation is convent, all inputs must be checked both coming in and out of the server. Either filter it or block it, but always check it server side.
4) Secret Data: Never display or store secrete data (such as passwords, credit card numbers, or cookies). Use a hash or encrypted value to verify secrete contents, and always have methods to dispose of confidential material (I.E. be able to end sessions and/or delete accounts). And never, never, never hardcode sensitive data into your code.
5) No Security through Obscurity!! Hiding password files, or URL encoding a string does not make the contents confidential. You need real encryption protocols, as well as proper application. Likewise, the lock on the gate is no good if someone can easily steal the keys.
6) SQL Interaction: Always use parametrized queries, or set functions, that only accept specific input parameters, and are tested for specific output. Also, curb your error messages, such that users can't draw out data about your system, such as the programming language, variable names or table names. For custom error messages, use try / catch blocks in your stored procedures, and return simple errors only you can identify.
7) Always Use HTTPS when dealing with Sensitive Data!!! Whenever you visit a login screen, perform any form of account transaction, use an https connection! You can be sure you have an https connection, by clicking the small icon to the left of the url bar. Then if you click "View Certificate" you can verify you have an SSL connection with a reputable company. This can also assure the user that they are not visiting a phishing website, which is marauding as the real website.
8) Always use vetted technologies, that have open code reviews and are trusted in the industry. If you are selling your security off to a 3rd party, be aware that you are putting full trust in their organization not to have its own vulnerability. Often it is best to use proven open source methods, and wait for stable version. Whatever your choice, stay patched to avoid the newest viruses!
9) Customize your security roles, and know exactly how each user will interact with your system. Never share accounts. Implement methods of keeping users accountable for their actions. It is important that users are not allowed to interact with material outside their scope. When designing access controls always consider confidentiality, integrity, and availability.
10) Use Defense In Depth. Don't rely on just one place to act as a 'wall' and secure your application. Check input as it traverses throughout the system, and ensure all layers have proper controls and methods to audit interactions.
1) Input Validation: Check ALL user input!! Be certain of: type, format( and associated vulnerabilities), length, and range of valid input charters. Logically, white listing provides more control than black listing.
2) Header Information: Please remain aware: header information is visible, be conscious of your plaintext! Do not base logical decisions off of header information either, as it is likewise easy to modify. Verify your parameters, server side!
3) Server Validation: While client side validation is convent, all inputs must be checked both coming in and out of the server. Either filter it or block it, but always check it server side.
4) Secret Data: Never display or store secrete data (such as passwords, credit card numbers, or cookies). Use a hash or encrypted value to verify secrete contents, and always have methods to dispose of confidential material (I.E. be able to end sessions and/or delete accounts). And never, never, never hardcode sensitive data into your code.
5) No Security through Obscurity!! Hiding password files, or URL encoding a string does not make the contents confidential. You need real encryption protocols, as well as proper application. Likewise, the lock on the gate is no good if someone can easily steal the keys.
6) SQL Interaction: Always use parametrized queries, or set functions, that only accept specific input parameters, and are tested for specific output. Also, curb your error messages, such that users can't draw out data about your system, such as the programming language, variable names or table names. For custom error messages, use try / catch blocks in your stored procedures, and return simple errors only you can identify.
7) Always Use HTTPS when dealing with Sensitive Data!!! Whenever you visit a login screen, perform any form of account transaction, use an https connection! You can be sure you have an https connection, by clicking the small icon to the left of the url bar. Then if you click "View Certificate" you can verify you have an SSL connection with a reputable company. This can also assure the user that they are not visiting a phishing website, which is marauding as the real website.
8) Always use vetted technologies, that have open code reviews and are trusted in the industry. If you are selling your security off to a 3rd party, be aware that you are putting full trust in their organization not to have its own vulnerability. Often it is best to use proven open source methods, and wait for stable version. Whatever your choice, stay patched to avoid the newest viruses!
9) Customize your security roles, and know exactly how each user will interact with your system. Never share accounts. Implement methods of keeping users accountable for their actions. It is important that users are not allowed to interact with material outside their scope. When designing access controls always consider confidentiality, integrity, and availability.
10) Use Defense In Depth. Don't rely on just one place to act as a 'wall' and secure your application. Check input as it traverses throughout the system, and ensure all layers have proper controls and methods to audit interactions.
