I\'ve been developing intranet web sites and public web sites with no big issues

Question

I've been developing intranet web sites and public web sites with no big issues concerning security. There were nothing to steal and nothing to gain. Nothing to attract people to try to reach the website behind the scene. I don't talk about login & password but more about the security against user attacks.

So, what's the best way to learn to secure the access to a site, to learn about common mistakes or weakness to think about ? Do I have to find a framework related to the language I use and rely on it or is there a source (book, website, ...) where I can find information about general design and tricks ?

Explanation / Answer

If you're doing web development with Java, consider reading up on the Spring Security framework (here is a good tutorial). It's based on Acegi Security which was absorbed into the Spring Framework. You'll quickly learn about the key principles of securing a web application:

Never trust the client (validate everything)
HTTPS is your friend
Hashing passwords is a good thing
Security is an aspect of your code (i.e implemented through filters and interceptors rather than directly within your business logic)
Anecdote

I remember one client I worked with who had employed a security firm to perform penetration tests on their code. They failed badly. One quick refactor to use Spring Security and Spring MVC instead of their home-grown approach and all their issues vanished.

Nothing is ever perfect, but you can make it so hard to get into your application that script kiddies give up leaving just the dedicated crackers to deal with. And for them, you'll need professional advice.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.