Duh. Run it on linux, then nobody can see it unless they have good intentions. Right? Wrong. Actually that's the problem I want to talk about, we got to the point where computers can do almost magical things to keep secrets, or to break them. It's a Brave New World, such a wonderful, complex, and to a lot of people, incomprehensible issue, that most of us tend to ignore security.

A thread in the general forum hinted at the answer by listing common passwords. That seemed to be about hacking, but it brings up an important issue. You can use MD5 and 3xDES, but if your password is "password" your system isn't secure. The goal of crypto science is for the human to be the weakest point, so the algorithm can't be compromised. As web developers, we can't take that easy out.

I hope we can have a thread where we all share experiences and ideas on how to build secure systems. That involves some talk about hacking, because you have to understand how your enemy will attack to strengthen the right walls. But the goal isn't just to stand up to three particular attacks, it's to make it more difficult to get in, no matter how someone tries.

Let's get this thread started! Are we talking about web app security or server security?

I'm thinking more application security, but that involves a lot of server security. If you write the world's best application and deploy it on a server with holes like swiss cheese, all the work you did to build a robust app is wasted.

agreed. These days it seems to be all about xss and sql injection.

As you can see here: http://mybeni.rootzilla.de/mybeNi/category/xss_list/

Even the top 50 sites on the net are nowhere near full-proof. Some different methods are also discussed on that site.

I find it helpful to test my apps with a bunch of these code snippets:
http://ha.ckers.org/xss.html

You could add, know your server and programming language well.

For example, Java provides the java.sql.PreparedStatement class t eliminate the threat of SQL injection but, some people still insist on creating SQL with user input directly.

Almost all app servers have a means to provide database connections that are configured on the server. Yet, we still see PHP, ASP, JSP pages that contain database username/passwords and open/close connections within the page.

We can create one-way hashes (MD5/SHA/etc) of passwords (with salt) so that a user's real password is never stored anywhere, yet many apps still store plaintext passwords in a database.

People put crazy security on pages and then forget to secure services called by AJAX within the pages.

The list goes on and on....

I could not delete, it double posted.

I love this topic, I will jump on Php security.

1. Use mysql_real_escape_string, NOT addslashes, to validate all user submitted data.

2. upgrade to php5. If you are still on php3, then get a new job.

3. Do not forget to use strip_tags to validate form data.

4. magic quotes, stop using them, in php6 they will be gone anyway.

5. When passing IDs in forms and links, verify the data wil (int) like this:

Quote:

$id = (int)$_POST['id'];

this makes converts the string to an integer... helps against attacks.

6. Use a function like this for validating data:

Quote:

function vdata($value) {
mysql_real_escape_string(htmlspecialchars(strip_ta gs(trim($value)));
return $value;
}

7. turn off indexes in .htaccess

8. Encrypt all passwords saved in files and databases with at least MD5().

9. Try not to chmod 777.

10. The list could never end, but I have to take a leak, so later gator.

The forum messed up my code, oh poopy! Remove the space between "ta" and "gs". it should be "tags", forum messes that up for some reason.

Quote:

Originally Posted by willcode4beer

Almost all app servers have a means to provide database connections that are configured on the server. Yet, we still see PHP, ASP, JSP pages that contain database username/passwords and open/close connections within the page.

Are you talking about SSPI/AD, or basically network level security saying that whatever user the web server runs on has permission to access the database ... trusted connections in Windows?