This can be a broad question looking for a good broad answer, however i am really interested in which key issues professional designers must take into account when it comes to security.
How can you build your website more hacker-proof? How can you make sure the security of the companies' databases?
I am a real noob with security issues however i am keen to listen to from people about typical design designs for security (if there's this type of factor), the simplicity of using file encryption techniques etc.
I'm able to point you some typical attacks that may be attempted to some website. You'll find lots of assets about each of them on the internet.
- XSS (mix site scripting)
- CSRF / XSRF (mix site request forgery)
- Sql Injection
Individuals are the most typical, I suggest you begin by studying these.
This really is in no way an thorough listing of everything you need to do, however it should enable you to get considering some solutions for your questions:
How can you build your website hacker proof?
- Wherever security is an issue, make sure to use strong SSL file encryption.
- Never use dynamic SQL. Always employ Parameterized Queries or Saved Methods. This can safeguard against SQL Injection attacks.
- Never store user passwords in plain-text. Always employ a salted hash.
- Require customers (especially admin customers) to make use of strong passwords.
- Make sure to inspect query parameters for harmful content. This helps reduce the chances of Mix-Site Scripting attacks.
How can you make sure the security of the companies' databases?
- Don't expose the databases directly to the web.
- Require strong passwords.
- Ensure guidelines are adopted for programs hooking up towards the database so that they don't expose data via SQL Injection attacks.
While there was lots of good suggestions published, I recommend that certain should take more systematic and methodological approach. Instead of aimlessly safeguarding from Abc attacks, it will work better to first perform threat modelling on the internet site you need to "hacker proof". For instance, consider an intranet website which does not allow any user input. Just the read only but private details are available. For anyone who is worried about SQL injection, XSS etc ? I do not think so (since there's no user input). DNS rebinding is much more concerning attack to bother with here. Does the web siteOr look for HOST header? Otherwise, the website might be vulnerable and also the private data might be leaked to unauthorized customers.
By carrying out threat modelling, one will get a obvious picture of top risks towards the application and according to risk assessment, you ought to build minimization strategy.
Bruce Schneier's Secrets And Lies is a very bestseller to see like a general philosophical survey from the subject.
Never trust user input! Assume people are attempting to pass malicious content for your application.
This type of factor results in the problems that @Matteo Mosca is speaking about.
Around the database side make certain you secure any information you wouldn't want individuals to easily find out if they are doing hack your DB (passwords etc)
Here is a great article on storing passwords inside your db.
Links for more information: