Stuart McClure's Daily Security Tips for the Week of November 18th
Web Security Tip for Friday, November 22th, 2002
Implement SSL Without a strong form of encryption, everything you provide your users, and the users provide to you (such as credit cards, data of births, etc), will be available to anyone who wishes to listen. As such, you must employ a strong form of encryption such as SSL or TLS to every sensitive page in your web application. Without encryption, purchasing products on the Internet is downright suicide.
Web Security Tip for Thursday, November 21st, 2002
Input validation Every field in a web site or database SQL query accepts data from a user, processes it, and acts on it. If however, this data is nefarious by nature and holds in it a certain length or content of data, an attacker could take advantage of poor input validation and get the service to crash or worse, execute commands. Be sure to employ rigorous input sanitization with whatever language you use.
Web Security Tip for Wednesday, November 20th, 2002
Set appropriate ACLs for the web server -- Each system on your network should have key programs either removed or slapped with restrictive access control lists (ACLs). The reason is because if an attacker does gain access onto your system, you do not want them to go anywhere beyond your system. So, remove or ACL as many programs as you can. Examples of these potentially damaging programs on Windows systems are cmd.exe, ftp.exe, tftp.exe, etc.
Web Security Tip for Tuesday, November 19th, 2002
Testing systems separate from production systems While not necessarily a security step, performing security testing on production servers can be dangerous to your professional health. As such, you should always test both hard core assessment reviews and hardening steps against non-production systems.
Web Security Tip for Monday, November 18th, 2002
Remove sample accounts A number of default accounts exist on database servers that can invalidate almost all your security countermeasures. For example, Oracle comes installed default with the username of "oracle" and password of "oracle". Remove these users and/or choose difficult to guess passwords immediately.