What are the typical potential security risks developers should account for?

Question

This is a broad question in search of a decent broad answer, but I am really curious about which key issues professional developers must account for in terms of security.

How do you make your website more hacker-proof? How do you ensure the security of your companies' databases?

I'm a real noob with security issues but I am keen to hear from people about typical design patterns for security (if there is such a thing), the ease of using encryption methods etc.

Thanks!

Answer 1

I can point you some typical attacks that can be tried to a website. You can find a lot of resources about every one of them on the web.

• XSS (cross site scripting)
• CSRF / XSRF (cross site request forgery)
• Sql Injection

Those are the most common, I recommend you start by studying these.

Answer 2

This is by no means an exhaustive list of everything you have to do, but it should get you thinking about some answers to your questions:

How do you make your website hacker proof?

• Wherever security is a concern, be sure to use strong SSL encryption.
• Never use dynamic SQL. Always use Parameterized Queries or Stored Procedures. This will protect against SQL Injection attacks.
• Never store user passwords in plain-text. Always use a salted hash.
• Require users (especially admin users) to use strong passwords.
• Be sure to inspect query parameters for dangerous content. This will help defend against Cross-Site Scripting attacks.

How do you ensure the security of your companies' databases?

• Don't expose the databases directly to the Internet.
• Require strong passwords.
• Ensure best practices are followed for applications connecting to the database so they don't expose data via SQL Injection attacks.

Answer 3

Bruce Schneier's Secrets And Lies is a really good book to read as a general philosophical survey of the topic.

Answer 4

Web Application

Never trust user input! Assume people are trying to pass malicious content to your application.

This kind of thing leads to the issues that @Matteo Mosca is talking about.

Database

On the database side make sure you encrypt any information you don't want people to easily see if they do hack your DB (passwords etc)

Here is a good article on storing passwords in your db.

Links for more info:

• XSS
• CSRF
• SQL Injection

Answer 5

While there had been a lot of good suggestions posted, I would suggest that one should take more systematic and methodological approach. Rather than haphazardly protecting from XYZ attacks, it makes more sense to first perform threat modelling on the web site you want to "hacker proof". For example, consider an intranet website which doesn't allow any user input. Only the read only but confidential information is available. Should you be concerned about SQL injection, XSS etc ? I don't think so (since there is no user input). DNS rebinding is more concerning attack to worry about here. Does the website/ check for HOST header? If not, the site could be vulnerable and the confidential data may be leaked to unauthorized users.

By performing threat modelling, one gets a clear picture of top threats to the application and based on risk assessment, one should build mitigation strategy.