/    Sign up×
Community /Pin to ProfileBookmark

Best way of securing a site?

Copy linkTweet thisAlerts:
Jul 15.2005

Hi,

Basically I’d just like to know the best way of securing a site, or an area of a site. By “best” I mean, the most secure. Are there any software/programming techniques/protocols that you recomend?

I really have no clue when it comes to security; all I’ve ever done is a simple login form – user/pass table – session variable; which is then checked on each page. My gut feeling is that something as simple as that isn’t secure enough for a full on business app. However, I may be wrong.

If you need anymore details let me know.

Thanks.

to post a comment
Full-stack Developer

5 Comments(s)

Copy linkTweet thisAlerts:
@invertedpandaJul 15.2005 — One of the best ways to ensure a secure site is to not have more than what you need - The more possible points of failure, the greater risk you run of having your website compromised. Every way you allow someone to pass data is a possible point of failure.

Honestly, there isn't really much of a way to cover even half of the bases with just forum posts. Your best bet is to do some reading (online, and books).

On that note.. I run a security site dedicated to providing viewers with articles/book reviews relating to the security topic. I just re-launched recently, and have been making calls for papers on various forums and whatnot. Keep on eye on http://security.the-engine.org/ - Hopefully within the next week or two, someone will submit something related to the topic of web scripting security. Sorry for the self-plug, but yah never know ?

*edit* just added an article that works as a good introduction to scripting security.
Copy linkTweet thisAlerts:
@ray326Jul 16.2005 — I really have no clue when it comes to security; all I've ever done is a simple login form - user/pass table - session variable; which is then checked on each page. My gut feeling is that something as simple as that isn't secure enough for a full on business app.[/QUOTE]A slight variation of that, Basic Authentication over SSL, is about as secure a foundation as you need. Of course you can always screw something up in the code or the admin of the site to cause it to spill its beans but that's true regardless of any measures you take up front.
Copy linkTweet thisAlerts:
@LizoauthorJul 16.2005 — Thanks for the replies.

I'll keep an eye on your site panda, the article on script security was a good intro, thanks for that.

I'm basically researching security measures for a colleague who will be developing a web-driven database front-end. It will have full access to a database and all the tables so it needs to be pretty secure. I'll have a look at SSL, am I right in thinking that host must support it?

Also, what would be the best way to transition from the un-secure part, to the secure part. A simple form checking against a db-table for username and an md5 password? Or is that a bit open?
Copy linkTweet thisAlerts:
@invertedpandaJul 16.2005 — Most larger hosts support SSL, but you'll still have to pay for an SSL certificate (unless you go with one of the free ones.. I can't vouch for the quality of those, though).

Good luck ? Security is always a tough topic; Assumptions tend to make the phrase true (When you assume, you make an a$$ out of you and me). In most cases you need to guess how far you want to go in paranoia; A good way to turn that into an educated guess is to look at the value of the information you hold, for one, but that isn't always a good standard. Hactivists and criminally minded crackers tend to be a small population in the cracker community (based on my personal observations) - a number of compromises are done by people who just want to do it. Sometimes they'll sell information they get, but most of the crackers I have known do it just because it is fun. As well, there are way more script kiddies than honest crackers - script kiddies being people (usually teenagers) who are inexperienced and don't really understand the entire cracking process, making use of prefab tools and well known methods to compromise systems. Script kiddies also tend to be pretty dangerous - since they don't know what they are doing 100% of the time, quite often you may find your server or your data in shambles. As well, most script kiddies don't appreciate the value of data entirely. Still, script kiddies tend to be fairly easy to catch, in some cases, considering they usually make common mistakes (deleting common log files but not looking for specialized-software-specific log files, that sort of thing)

I'm going to shut up now, I'm rambling ?
Copy linkTweet thisAlerts:
@ray326Jul 16.2005 — It will have full access to a database and all the tables so it needs to be pretty secure.[/QUOTE]In that case I'd recommend you go to a JavaServer-based app where you can separate the web server from the app server, putting only the web server on the Internet. If it's a purely internal app (intranet app) then it doesn't matter so much.
×

Success!

Help @Lizo spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...