Millions of people worldwide use the Internet to consult their bank, make transfers funds, procurement, research...
In each case, private information flows over the network and is stored in different ways. To perform these transfers of information, companies necessarily had to open their network, firewalls and routers. There is necessarily at least a leak through which this information passes through. Firewalls and security infrastructure are not waterproof and cant not be considered the ultimate defense of a network.
Security point of view, firewalls, or SSL, provide only a small part of securing web applications. SSL is only used to encrypt information in transit, but not sure the destination of the information. And firewalls, as already said are necessarily open, via port 80 general, to provide the service. Over 80% of sites contain vulnerabilities: Consider that eight of 10 sites among all sites visited daily, contain a security flaw threatens users' data using it, and / or business now.
The vulnerabilities allow an attacker to exploit personal data, execute commands administrator to take over site. Whatever happens, every website has its vulnerable own security card, and is only concerned with certain attacks.
Failure to validate input data is the major cause of fault: The data received from outside the application, from whatever source, should never be considered safe. This includes all data provided through HTTP requests: GET, POST, HTTP headers, cookies ... This is a key point that the developer should always keep in mind when working. If the information comes from somewhere outside the site, it is then necessary in all cases, validation, and its suitability for what is expected.
For example, accept that the data in a character set expected. If an integer is expected, accept the numbers, convert and typez systematically all the data. Accept a date in an expected format, an email address must be purged of the symbols it can not contain, and ensure that it contains those it should contain. Just as if you wait 15 characters, you do not expect more ... Data must be removed whatever it is characters that may have special meaning in a treaty, HTML tags, code javascript or PHP code...
Application should be scrutinized carefully at all levels, including SQL and web server connections. Obviously this might extend to any other system your application talks to. Which ensure that data has not been compromised and no falsified data has been send in order to take control of your own application.
Security is paranoia, defense is at all levels: Entities as Google, Yahoo, FaceBook or Twitter have experienced attacks, some very ingenious.
Validation of input data, database, web server configuration, proxies, firewalls, data encryption, administration of the operating system ...
It is also necessary to frequently test the security of each layer, this greatly reduces the risk system is usually connected across multiple locations to multiple services, such as a database, web services, directories, various data sources. The more complex is the architecture, the harder it is to impose secure development, and quality service. Hanging out code in comments, and keeping unused files kept in the final version, reduce the overall security of a project. A production version of application must be audited separately from the development version, and after that service quality has passed.
A hacker is smart, fast and the smell, and that if he can find you: he will !
An updated code should cause a re-verification of security: Large companies applications are constantly in maintenance and are often updated.
Developers under pressure tend to go quickly and then rush through certain passages, while a tiny bit code do not suddenly drop safety. Process of code analysis and audit must be planned with professionals. Myspace had to close in 2006 for 24 hours due to a XSS attack, they hosted then 32 million user accounts ...
From there, you have to say that yes, my code is fallible, and I will investigate how to reduce these vulnerabilities. Get the use of scanners, HTTP query software, and do not look to break yourself.
Applying a patch requires an update of the code. A patch is downloaded and "basically" applied. But for a web application, the resolution of a security problem leads to the rewriting of some - or many - parts of the code. This rewrite process itself may be a source of new vulnerabilities.
Good security is based on software and professional people. A web developer should know the functioning of the Internet and network clearly in order to control each line of code that will produce.