How to protect your business in the net. Several phrases concerning safety.

At creation startups, i.e. systems for receiving money of the on-line stores the customers first of all pay their attention on the functional and design and only after that direct their look on the safety. It is good if they finally think about safety as many of them are so glad with a beautiful template and though-out functional that they put into operation their project at once and do it in vain… The hackers scan the system very fast and find weak points in it after that project’s owner cannot avoid problems. Among the last cracks let us remember, for example, vshtabe.ru, when the data of all registered users was stolen. Think of if the users put money on the site what would be the losses? Sometime barman Scott said that the invulnerable systems do not exist but it is mandatory to endeavor at perfection. That is why everybody who develops web-site which will operate with finances should follow the main principles of safety:

1. Never use a public web-server to keep critical information which should be accessible only to the internal users (discredit of this public web-server will lead mandatory to discredit of this data). You should either rent a dedicated server at a good hoster or start your own server using services of a good administrator.

2. Choice of programming language. It is not less important factor if you want to secure your site maximally forget about using of php. This language is in discussion on all hacker forums, hackers know its mistakes even in interpreter program and it is impossible to protect from them. Today for secured web-applications it is good practice to use platform .NET, but it has a number of defects. Optimal variants will be Python, Perl, and Java. Also special caution is required at downloading of scripts developed in advance or running files from the Internet. Many of web-administrators want to save time by downloading free accessible code from the Internet. Although conveniences are evident risk is big as well. It does not make sense to save on such projects and it is mandatory to create even the smallest modules yourself.

3. URLs and cookies

URLs – is an address which keeps in the line of your browser. Data which it contains keeps not only there but also in the logs of proxy-server and logs of НТТР referrer. Keeping places should be encrypted carefully as the data contained in them may become a basis of the attacks to your server. Special attention should be drawn to encrypt for IE, as it is favorite tool of the hackers. The same is of concern for cookies, keeping of which in not coded mode can give a key for attacks.

4. Vulnerability of technologies of active content at the client side

Nevertheless that everybody praise overmuch ActiveX, this is the most vulnerable technology and we pay a tribute to the old good JavaScript and VBScript, which despite of everything are still at the head. The simplicity of these environments provides safety.

In addition there are 3 rules which help you to provide security of your on-line application:

Rule 1. Never trust information coming from a client to the server.

Any bite received by the server may be a part of hacker attack. Filter any super global variables prior each usage. If in your web-application there is protected area with access by means of login and password mandatory add to it good captcha. It will protect your web-application against brute force attacks.

Careful observation of the First Rule allows you to protect against the most widespread hacker attacks such as XSS scripting, SQL and SSI injections.

Rule 2. Never show a client anything except the things he has to see.

To be more exactly nothing except html pages. The other parts and details of the process should be hidden. Limit data shown in http-header of server response with the necessary minimum. If you use sessions and cookies for access to the closed parts of the site, we recommend you to save nothing in the cookie except session identifier. Generation of incidental SessionID and session timeout is an undoubtful axiom.

Having implemented the Second Rule in your server you will free from vulnerability named as "Information Disclosure" (if translate it into Russian it will mean - "every barber knows that” p>

Rule 3. Never rely on the security of platform on which your web-application operates.

Any software being a platform for your web-application (operating system, web-server, database serveк and so on), most of all has a lot of weak points both known and unknown.

Install the last stable versions of software. As often as possible update your software, ideally immediately after new updating appeared.

Observation of principles described in the Third Rule let you to solve many problems in relation with security. For example, installation of the last patches for the operating system allow you to avoid the DoS or Buffer overflow attacks, installation of the last versions of PHP5 prevent possibility of attacks with split http-request, installation and correct setup of the firewall close access to the server through “left” ports.

Do not save on the security of your resources. Google never saved and, as a result, became the greatest web-imperia. So now it is your turn.

Tell your opinion