Difference between revisions of "Security"

From Hashphp.org
Jump to: navigation, search
(Imported initial security page)
 
(removed a reference to tarsnap's scrypt - it's a completely unproven (and highly suspect, IMO) algorithm)
 
(One intermediate revision by the same user not shown)
Line 5: Line 5:
 
Never trust user input (cookies are user input too!).
 
Never trust user input (cookies are user input too!).
  
Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as bcrypt (time tested) or scrypt (even stronger, but newer) ([http://www.tarsnap.com/scrypt.html 1], [http://it.slashdot.org/comments.pl?sid=1987632&cid=35149842 2]), for storing passwords. ([http://codahale.com/how-to-safely-store-a-password/ How To Safely Store A Password])
+
Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as blowfish(time tested) for storing passwords. ([http://codahale.com/how-to-safely-store-a-password/ How To Safely Store A Password])
  
 
Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until <em>after</em> you're hacked.
 
Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until <em>after</em> you're hacked.
Line 28: Line 28:
  
 
Read [http://amzn.com/0470170778 The Web Application Hacker's Handbook].
 
Read [http://amzn.com/0470170778 The Web Application Hacker's Handbook].
 +
 +
 +
===Notes===
 +
{{Reflist}}

Latest revision as of 21:29, 26 July 2011

It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom.

Know about SQL injection and how to prevent it.

Never trust user input (cookies are user input too!).

Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as blowfish(time tested) for storing passwords. (How To Safely Store A Password)

Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.

Know the rules for processing credit cards. (See this question as well)

Use SSL, HTTPS for login and any pages where sensitive data is entered (like credit card info).

How to resist session hijacking.

Avoid cross site scripting (XSS).

Avoid cross site request forgeries (XSRF).

Keep your system(s) up to date with the latest patches.

Make sure your database connection information is secured.

Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.

Read The Google Browser Security Handbook.

Read The Web Application Hacker's Handbook.


Notes