Over the years developing web-based applications I have learned a fair amount about following good security practices in your code. So I thought I would share some of those practices here:
- Check Parameters - Always check GET and POST parameters that your application accepts for legal values. These parameters are a critical avenue that attackers typically exploit by jamming values into them that you don’t expect. So, for example, if you’re accepting a two-character state code as a parameter you should check the value you get during a submit against a list of known state codes.
- Require Good Passwords - If your website allows user to create login accounts then you will almost always need to enforce the use of strong passwords that have a mix of alphanumeric and special characters. Don’t allow the password to contain the account name.
- Safely Store Passwords - Passwords should never be stored in clear text. The best way to store them is to not store them at all. Instead, store a cryptographic hash of the password. As an extra level of protection, encrypt the table that stores your user account information.
- Frustrate Password Cracking - Automated tools exist that allow hackers to crack passwords by trying to login to a website repeatedly. If you lock your user account after (let’s say) 5 failed attempts you can prevent this type of attack. Another approach is to introduce an increasing delay between each login validation (e.g., 1 seconds, 2 seconds, 4 seconds, etc.).
- Beware of Temporary Storage - It’s easy to forget about temporary files that your website may create on the server. But if some of these contain passwords or credit card information they could present a possible avenue for attack. Try to avoid passing around critical information in files if at all possible (use shared memory instead).
- Provide an HTTPS Mode - I’m seeing more sites that are providing an option that allows the user to specify that HTTPS should always be used. Twitter has an “Always Use HTTPS” checkbox. The performance penalty with HTTPS isn’t as substantial as in the past so it’s not something we, as website providers, need to be as concerned about anymore.
More security posts to come in the future…
The Wall Street Journal has an interesting article on the struggle that Google is facing in promoting Google+ as a social networking alternative to Facebook and Twitter.
Google+ just does not seem to have the same sort of addictive quality that Facebook and Twitter have. The “switching cost” is also significant since rebuilding your network of friends is a time-consuming chore. It’s difficult to see what will start driving social networking fans into Google’s arms anytime soon.
I’ve done a fair amount of user interface design during my career and I also know what I like to see when I stumble upon a website. Here are some basic principles I think every site should attempt to follow:
- Speed – do things fast! If your underlying system has to take a long time to do things entertain and inform the user while it’s happening. You’d be amazed how far an animated gif can go.
- Minimalist Design - focus on the mimimal set of UI controls needed to perform the task. Google’s main search page is a good example.
- Economize on Text - question every piece of text on a page. Does it really need to be there? Use phrases instead of sentences where possible. If there’s too much text on the page the user won’t read it all.
- Terminology - use the simplest and most descriptive terms that are familiar to the user. Avoid technical jargon as much as possible so that non-technical users can figure out what you mean (the technical user will figure it out either way).
- Error Handling - when reporting errors clear language is essential; also point the user to the solution.
- Help - display context-sensitive help when possible; should be visually appealing with straightforward descriptions.
- Consistency - use the same controls for actions that the user takes throughout the UI. For example, adding or removing an item from a list.
- Icons & Graphics - use sharp icons and appealing graphics; use tooltips to explain what icons do if there is no accompanying text.
- Breadcrumb Trails - if your site has depth in terms of navigation use a bread-crumb trail or some other mechanism to show the user how to get back where they started.
- Expect User Mistakes - design every interface assuming the user will enter the wrong values or do the exact opposite of what you intend. Don’t punish the user for doing something you think is dumb. Don’t assume they have as much background knowledge of the domain as you or many others do.