Revision as of 21:29, 26 July 2011 by TML (Talk | contribs) (removed a reference to tarsnap's scrypt - it's a completely unproven (and highly suspect, IMO) algorithm)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom.

Know about SQL injection and how to prevent it.

Never trust user input (cookies are user input too!).

Hash passwords using salt to prevent rainbow attacks. Use a slow hashing algorithm, such as blowfish(time tested) for storing passwords. (How To Safely Store A Password)

Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.

Know the rules for processing credit cards. (See this question as well)

Use SSL, HTTPS for login and any pages where sensitive data is entered (like credit card info).

How to resist session hijacking.

Avoid cross site scripting (XSS).

Avoid cross site request forgeries (XSRF).

Keep your system(s) up to date with the latest patches.

Make sure your database connection information is secured.

Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.

Read The Google Browser Security Handbook.

Read The Web Application Hacker's Handbook.