Attackers want to deface your website. They want to hack it just because it is there. If you deal in money, vital infrastructure, or controversial services you know you are a target. If your site is modest or you just have high speed “always on” internet at home you can also be targeted by script kiddies with more software than brains, or you can be used as a pawn by a more sophisticated attacker.
Web applications offer a variety of new openings to attackers. Common web application attacks include:
HTML and SQL injection
Cross Site Scripting
Session hijacking, impersonation, and replay attacks
Dictionary attacks against your passwords
Stolen databases compromising passwords and credit cards
Denial of Service and Distributed Denial of Service attacks
Operating system, stack overflow, virus and email attacks.
Defending your applications requires a consistent, comprehensive strategy. This is an important example of how ConsenCIS has worked out the details so you can have peace of mind. The following security strategies are embodied in all ConsenCIS applications.
Make it easy for your users to practice good security. Make it easy to change passwords. Log and notify users when critical data like a password is changed. If a password can be found in a spell checker it is not very strong.
Encrypt sensitive information in transmission and in your databases so they can’t be read outside the context you control. Protect connect strings just as securely as you protect the database. Use strong passwords for your database and change them frequently. No one ever needs to type these passwords so make them secure. Store databases outside the directory containing your pages.
Protect session integrity rigorously. Pay attention to the information you give out in your URL querystrings and forms. Hackers will analyze the details to formulate their attacks. Trap and log invalid data that an attacker might imput as he looks through your system for a weakness. Associate an IP address with a session to make things tougher for potential hijackers. Dial up optimizers add complexity to this strategy but the first few octets of the IP address are constant even with AOL. Let your user logoff and terminate idle sessions after 15 minutes.