Saturday, March 12, 2011

Website security basic check list

  • It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom.
  • Know about SQL injection and how to prevent it.
  • Never trust user input (cookies are user input too!).
  • Use a slow hashing algorithm, such as bcrypt (time tested) or scrypt (even stronger, but newer) (12), for storing passwords. (How To Safely Store A Password)
  • Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.
  • Know the rules for processing credit cards. (See this question as well)
  • Use SSL/HTTPS for login and any pages where sensitive data is entered (like credit card info).
  • How to resist session hijacking.
  • Avoid cross site scripting (XSS).