I hear a lot about security/vulnerability whenever I see a webhosting site advertisements or a datacenter promotions.
I would like to know what are they. Are they just marketing gimmick, is it physical security or some malwares that may steal code/binaries(:))
For e.g. I want to host a website where server is a custom http web server written in C. Assume it has well prepared SQL queries to handle SQL injection and a nice http req parser. What security considerations now do I need to take care of?
Adding to SQL injections, you’d also have to worry about XSS (cross-site scripting) and the right permissions set for your folders. Also make sure there’s no room for buffer overflow attacks. These are some good basics.
OWASP also has a good list of top 10 with more details:
http://www.google.com/url?sa=t&source=web&cd=6&ved=0CFIQFjAF&url=https%3A%2F%2Fwww.owasp.org%2Fimages%2F0%2F0f%2FOWASP_T10_-_2010_rc1.pdf&rct=j&q=owasp&ei=ZyLKTYKsF4aCsQOO04mdAw&usg=AFQjCNGYRuamJ3pnCqKrnjvKLyXwHv-eiA&cad=rja
To sum up, the top 10 are:
Injection ,
XSS ,
Broken Authentication and Session Management ,
Insecure Direct Object Reference ,
Cross Site Request Forgery ,
Security Misconfiguration ,
Failure to Restrict URL access,
Unvalidated Redirects and Forwards,
Insecure Cryptographic Storage ,
Insufficient Transport Layer Protection.