Whilst security overall on the Internet has improved greatly over the past decade, some users are still wary about carrying out particular tasks online – especially where there is a need to enter personal information – and because of this, it is down to web developers and the businesses operating websites to guarantee that they have the right safeguards in place so that customers feel confident with using their website. Whilst many web developers will be familiar with security measures such as SSL certificates that encrypt the information sent between a visitor’s computer and the server that is hosting the website, these have shown to be vulnerable and indeed recent leaks have proved that the NSA has managed to crack the algorithms behind SSL. It takes a professional and well-skilled developer to craft a secure website because you need to be confident in the code that you are writing – any holes in the code that lies behind your website could represent potential exploits and access points for hackers.
Secure Coding Techniques
During the development of a web application, it is important to observe secure coding techniques so that the end result is one that is close to what you are trying to achieve and so that you won’t end up discovering a number of security holes during the testing process. Examples of secure coding techniques can include:
- Define security requirements early on – it is always a good idea to define the security requirements of a project early on in its life cycle so that everyone who is contributing towards the effort is able to develop code to the same standard and this will also reduce the chances of scripting needing to be modified to meet these requirements later on in the development process
- Principle of least privilege – if there are processes included in the web application that require escalated privileges, you should endeavour to execute these processes with the least privileges possible and where escalated access is needed, this should be for a minimal amount of time to reduce the opportunities for hackers to exploit any holes in the script and gain access to the server
- Model threats – identify the any potential threats and discuss what you should be doing to circumvent these; some web applications are going to be at a higher risk of attack than others, for example online banking systems, and there are other factors that will affect the types of threat that you will be exposed to including the scripting language used to develop the web application and even the target audience.
Security of Scripting Languages and Frameworks
Whilst all scripting languages and frameworks have been created with the intention of providing a solid core around which web applications can be developed, all possess their own characteristics in terms of the support that they offer and the features that are provided as standard. Some of the security elements of the most popular scripting languages include:
- PHP – overall PHP can be described as being a highly secure platform and this is reflected in the fact that it is used by a number of global companies to power their internal and external websites – the benefit of PHP is that it is an open source platform meaning that if you have your own server, you can make changes to the core of the platform to guarantee yourself that extra bit of security, some of these changes may include turning of error reporting or disabling particular functions such as ‘register_globals’ or ‘magic_quotes’
- ASP.NET – in comparison with PHP, ASP.NET is a closed platform but has close ties with the Windows operating system and because it has been created by Microsoft, you can be guaranteed swift updates when any security holes are discovered – whilst not much can be done to improve the security of ASP.NET yourself, having paid for Windows you would expect commercial platforms to inherently come with a higher level of security than their open source equivalents.
As a conclusion, using an up-to-date version of PHP or ASP.NET on a secure server provides a strong basis on which you can develop web applications that will be able to see of most forms of attack. Observing secure coding practices from the outset of a project will enable you to create a product that will give visitors the confidence they need to use your website and is likely to reduce your overall work load as it reduce the amount of modifications that need to be made once testing has been completed.