3

I've been developing intranet web sites and public web sites with no big issues concerning security. There were nothing to steal and nothing to gain. Nothing to attract people to try to reach the website behind the scene. I don't talk about login & password but more about the security against user attacks.

So, what's the best way to learn to secure the access to a site, to learn about common mistakes or weakness to think about ? Do I have to find a framework related to the language I use and rely on it or is there a source (book, website, ...) where I can find information about general design and tricks ?

asked Dec 10, 2010 at 12:19
4
  • 4
    Someone from Russia typed "); SELECT CCNumber, CCExp, CCCCV FROM Users;" in the search box of my 10.000 subscriber website ;) Commented Dec 10, 2010 at 12:22
  • 3
    I think it is better to ask this question in the Security site : security.stackexchange.com Commented Dec 10, 2010 at 12:27
  • @DA: I'm sure it actually happened and that the exploit was as simple than that. Commented Dec 10, 2010 at 12:28
  • 3
    xkcd.com/327 Commented Dec 10, 2010 at 12:32

4 Answers 4

4

If you're doing web development with Java, consider reading up on the Spring Security framework (here is a good tutorial). It's based on Acegi Security which was absorbed into the Spring Framework. You'll quickly learn about the key principles of securing a web application:

  1. Never trust the client (validate everything)
  2. HTTPS is your friend
  3. Hashing passwords is a good thing
  4. Security is an aspect of your code (i.e implemented through filters and interceptors rather than directly within your business logic)

Anecdote

I remember one client I worked with who had employed a security firm to perform penetration tests on their code. They failed badly. One quick refactor to use Spring Security and Spring MVC instead of their home-grown approach and all their issues vanished.

Nothing is ever perfect, but you can make it so hard to get into your application that script kiddies give up leaving just the dedicated crackers to deal with. And for them, you'll need professional advice.

answered Dec 10, 2010 at 12:47
1

There's NEVER nothing to steal. Even if the data on your site is worthless, your processing time and bandwidth is still valuable to DDOS botnet operators. If you're running a computer on the internet and you're interested in being a good citizen, you have to be interested in security.

answered Dec 10, 2010 at 13:01
0
1

Plan for your project security before you start coding, Not after.
Also There are very good answers on SO on many similar questions : Like this and this

answered Dec 10, 2010 at 13:02
0

You can learn about this by yourself, but a framework would help you avoid making common mistakes and be a lot more secure.

answered Dec 10, 2010 at 12:34
1
  • +1 for emphasising the use of a framework (not sure where the downvote on this came from - perhaps the downvoter could clarify the reason?). In general, frameworks have simplified most of the configuration and implementation details, but they still need to be studied carefully since they are not silver bullets. Commented Dec 10, 2010 at 13:28

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.