This article in www.searchsecurity.com confirms the role of the developer in website security. The fact that most attacks penetrate browsers through infected web pages places responsibility for security on the developer. The high incidence of SQL injection again places responsibility on the developer to think about how the data layer is implemented, and not just take the first example that they see on MSDN as the template for the data access layer.
These tools:
- Vulnerability Scanning
- Penetration testing
- SDL and source code security scanning
- Web application firewalls
- Choice of browser
- Application whitelists
will not be effective until they are combines with good coding practices like:
- Error Handling, including logging
- Client AND server validations
I like the idea of categorizing all web servers according to business risk. This idea can be combined with adherence to different security standards, like HIPAA.
This is from a developer's point of view, any discussion on that?
I need to learn much more about this. Many websites today have a database backend. All blogs certainly do. More needs to be done to secure the info. I am reading your aticle as we speak, so to speak
ReplyDelete