Now I'm looking at handling more sensitive customer data I have an obligation to do everything I can to secure my server and code. Here's five resources I've found helpful:
Nikto - This tool runs an external scan of your webserver and spots common problems. The most serious mistake it found was that I'd forgotten to disable automatic indexes for directories without an index file.
Snort - Snort is an open-source intrusion detection system, and was pretty straightforward to get up and running. In its basic form it will just log suspicious events to a file, but it can be set up to use a database and send notifications too.
PHP Security Guide - A short, clear guide to the most common security errors in sites driven by PHP. The section on session fixation and hijacking was especially surprising to me, and I ended up rewriting some of my code to patch problems it alerted me to.
Browser Security Handbook - Google's guide is a comprehensive look at the flaws and pitfalls of the browser security model, and is essential reading for anyone building Javascript applications. It's sometimes a bit overwhelming though, because it covers the problems in so much depth.
Salesforce's security page - Salesforce would lose a lot of sales to traditional rivals if users were bitten by security problems related to their cloud-computing model, so ensuring their external developers write secure code is important to them. The result is an excellent set of documentation that's widely applicable, even if you're not working with Salesforce. Their self-assessment tool in particular was a great starting point for an internal security audit.
Comments