Archive for the ‘Web Development’ Category

Security Concerns for Web Developers

Someone posted a top 10 security concerns for a Joomla developer on a google group I’m in (not that I use Joomla) and I noticed that the issues were not Joomla specific. They were things every web developer should keep in mind after being hacked or in preparing for that scenario.

However, the list didn’t provide any solid useful examples of why the items are important. They also missed some really important issues that affect all web developers.

Here are a few security concerns I keep with me whenever I develop a site:

1. Always filter for malicious data and THEN validate user input, both on the server side. Do not rely on JavaScript or any other client-side technology to prevent hacking attempts or malformed data. Look up XSS (cross-site scripting):
http://en.wikipedia.org/wiki/Cross-site_scripting

2. Build your server side scripts so that they cannot fall victim to cross-site request forgery
http://en.wikipedia.org/wiki/Cross-site_request_forgery

3. For any user login form/handler, use SSL Get a cert (something like $100)–or generate and sign one yourself (free), which requires you and your users to add a security exception (because it’s self signed):
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/
If you fail to make this information go via SSL on your webserver, you are requiring all of your users to send passwords in cleartext through every computer between them and your webserver.

4. Always use SSH/SFTP to connect to your webserver. FTP is insecure. When you connect via FTP, you are sending your credentials in cleartext over the network. Anyone listening in will be able to scrape your access info.

5. Escape any database input before it goes into queries, lest you become victim of SQL injections:
http://en.wikipedia.org/wiki/SQL_injection

There are many more concerns but these are the ones that jump to my mind this early in the morning.

More »