General considerations

A completely secure system is a virtual impossibility, so anapproach often used in the security profession is one of balancingrisk and usability. If every variable submitted by a user requiredtwo forms of biometric validation (such as a retinal scan and afingerprint), you would have an extremely high level ofaccountability. It would also take half an hour to fill out a fairlycomplex form, which would tend to encourage users to find ways ofbypassing the security.

The best security is often unobtrusive enough to suit therequirements without the user being prevented from accomplishingtheir work, or over-burdening the code author with excessivecomplexity. Indeed, some security attacks are merely exploits ofthis kind of overly built security, which tends to erode over time.

A phrase worth remembering: A system is only as good as the weakestlink in a chain. If all transactions are heavily logged based ontime, location, transaction type, etc. but the user is onlyverified based on a single cookie, the validity of tying the usersto the transaction log is severely weakened.

When testing, keep in mind that you will not be able to test allpossibilities for even the simplest of pages. The input youmay expect will be completely unrelated to the input given bya disgruntled employee, a cracker with months of time on theirhands, or a housecat walking across the keyboard. This is why it'sbest to look at the code from a logical perspective, to discernwhere unexpected data can be introduced, and then follow how it ismodified, reduced, or amplified.

The Internet is filled with people trying to make a name forthemselves by breaking your code, crashing your site, postinginappropriate content, and otherwise making your day interesting.It doesn't matter if you have a small or large site, you area target by simply being online, by having a server that can beconnected to. Many cracking programs do not discern by size, theysimply trawl massive IP blocks looking for victims. Try not tobecome one.

add a note add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top