Bill Wixted's Blog

Wise Website Security Practices

Over the years developing web-based applications I have learned a fair amount about following good security practices in your code. So I thought I would share some of those practices here:

  • Check Parameters - Always check GET and POST parameters that your application accepts for legal values. These parameters are a critical avenue that attackers typically exploit by jamming values into them that you don’t expect. So, for example, if you’re accepting a two-character state code as a parameter you should check the value you get during a submit against a list of known state codes.
  • Strip Suspicious Text - If your website accepts any kind of text string you can be sure that some malicious user will attempt to embed JavaScript into it to try and exploit browser vulnerabilities that other users of your site may not be protected against. Attacks of this variety are commonly known as XSS (Cross Site Scripting) attacks. You will want to search for strings like “<script”, “<embed”, “<object”, and the like and take appropriate action like stripping the strings out or escaping them.
  • Require Good Passwords - If your website allows user to create login accounts then you will almost always need to enforce the use of strong passwords that have a mix of alphanumeric and special characters. Don’t allow the password to contain the account name.
  • Safely Store Passwords - Passwords should never be stored in clear text. The best way to store them is to not store them at all. Instead, store a cryptographic hash of the password. As an extra level of protection, encrypt the table that stores your user account information.
  • Frustrate Password Cracking - Automated tools exist that allow hackers to crack passwords by trying to login to a website repeatedly. If you lock your user account after (let’s say) 5 failed attempts you can prevent this type of attack. Another approach is to introduce an increasing delay between each login validation (e.g., 1 seconds, 2 seconds, 4 seconds, etc.).
  • Beware of Temporary Storage - It’s easy to forget about temporary files that your website may create on the server. But if some of these contain passwords or credit card information they could present a possible avenue for attack. Try to avoid passing around critical information in files if at all possible (use shared memory instead).
  • Provide an HTTPS Mode - I’m seeing more sites that are providing an option that allows the user to specify that HTTPS should always be used. Twitter has an “Always Use HTTPS” checkbox. The performance penalty with HTTPS isn’t as substantial as in the past so it’s not something we, as website providers, need to be as concerned about anymore.

More security posts to come in the future…

    Google+’s Uphill Battle

    The Wall Street Journal has an interesting article on the struggle that Google is facing in promoting Google+ as a social networking alternative to Facebook and Twitter.

    Google+ just does not seem to have the same sort of addictive quality that Facebook and Twitter have. The “switching cost” is also significant since rebuilding your network of friends is a time-consuming chore. It’s difficult to see what will start driving social networking fans into Google’s arms anytime soon.

    Effective User Interface Design

    I’ve done a fair amount of user interface design during my career and I also know what I like to see when I stumble upon a website.  Here are some basic principles I think every site should attempt to follow:

    • Speed – do things fast!  If your underlying system has to take a long time to do things entertain and inform the user while it’s happening. You’d be amazed how far an animated gif can go.
    • Minimalist Design - focus on the mimimal set of UI controls needed to perform the task. Google’s main search page is a good example. 
    • Economize on Text - question every piece of text on a page. Does it really need to be there? Use phrases instead of sentences where possible. If there’s too much text on the page the user won’t read it all.
    • Terminology - use the simplest and most descriptive terms that are familiar to the user. Avoid technical jargon as much as possible so that non-technical users can figure out what you mean (the technical user will figure it out either way). 
    • Error Handling - when reporting errors clear language is essential; also point the user to the solution. 
    • Help - display context-sensitive help when possible; should be visually appealing with straightforward descriptions. 
    • Consistency - use the same controls for actions that the user takes throughout the UI. For example, adding or removing an item from a list. 
    • Icons & Graphics - use sharp icons and appealing graphics; use tooltips to explain what icons do if there is no accompanying text.
    • Breadcrumb Trails - if your site has depth in terms of navigation use a bread-crumb trail or some other mechanism to show the user how to get back where they started. 
    • Expect User Mistakes - design every interface assuming the user will enter the wrong values or do the exact opposite of what you intend. Don’t punish the user for doing something you think is dumb. Don’t assume they have as much background knowledge of the domain as you or many others do.

    Good Object-Oriented PHP Habits

    Here’s a good article from IBM’s DeveloperWorks site about good object-oriented programming habits in PHP.  There’s a lot of very good common sense practices here.