views:

82

answers:

1

Hi,

I am on my dissertation in my final year at university at the moment. One of the areas I need to research is security - for both websites and for databases. I currently have sections on the following:

  • Website
    • Form security - such as data validation. This section is more about preventing errors made by legitimate users as much as possible rather than stopping hackers, for example comparing a field to a regular expression and giving them meaningful feedback on any errors which did occur so as to stop it happening again.
    • Constraints. For example if a value must be true or false then use a checkbox. If it is likely to be one of several values then use a dropdown or a set of radio boxes, and so on. If the value is unpredictable then use regular expressions to limit what characters they are allowed to enter, and to restrict the length of the string, and sometimes to limit the format (such as for dates / times, post codes and so on).
    • Sometimes you can limit permissions to the form. This is on the occasion that you know exactly who (whether it be peoples names or a group of people - such as administrators or employees) is going to need access to the form. Restricting permissions will stop members of the public from being able to access the form.
    • Symbols or strings which could be used maliciously or cause the website to act incorrectly (such as the script tag) should be filtered out or html encoded.
    • Captcha images can be used to prevent automated systems from filling in and submitting the form.
    • There are some hacks for file uploads - such as using double extensions - which can allow hackers to upload malicious files.
  • Databases (this is nowhere near done yet but the sections I have planned are listed below)
    • SQL statements vs stored procedures
    • Throwing an error when one of the variables contains particular characters or groups of characters (I cant remember what characters they are, but I have seen a message thrown back at me before where I have tried to enter html or something into a text area).
    • SQL Injection - and ways around it, with some examples.

Does anyone have any hints and tips on where I could go for some decent, reliable information either about these areas or about other areas of security that I could cover?

Thanks in advance.

Regards,

Richard

PS I am a complete newbie when it comes to security, so please be patient with me. If any of the information I have put down is wrong or could be sub-sectioned then please feel free to say so.

+5  A: 

To get you started on website security, I recommend you go through the following sources -

  1. OWASP Top 10 - http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  2. Common Weakness Enumeration - http://cwe.mitre.org/

Both list the top programming errors, and will give you a head-start in this field.

sri
hey,Yeah i shoulda known to look there.. owasp came up as a 100 mark question in my advanced development exam even though it was only one link in ALL of the material we were given.. Thanks for the links.. only looked at the first one so far but its really good so far.Regards,Richard
ClarkeyBoy
Hey, meant to get back to you about this.. I got all my dissertation finished and ended up only using one of these links before I went well over the word limit. Just waiting for the result now.. cant wait. Thanks again.
ClarkeyBoy