Website development has been around since Tim Berners-Lee invented HTML and the web browser back in 1989. The whole field of web development has undergone some drastic changes since those heady days.
One of the most important aspects of web development is that of security. We’ve all heard stories about how high-profile websites have been hacked, and we web developers take internet security very seriously.
One of the ways that this can happen is by SQL injection, a method of inserting malicious code into a website through an online form. Consider this query:
Consider this query:
“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”
If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to look like this:
“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”
Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement This additional query will also be executed. Similar hacks are used to log into a website without needing a password.
There are several good tools out there that will help you discover SQL injection hacks such as NetSparker and OpenVAS.
In custom web development, cross site scripting is another form of malicious attack using web forms. This most commonly uses JavaScript or HTML. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.
As website developers, we all know that we should use long, strong passwords that are difficult to guess. However, there are many people who still do not do this. The number of people who have ‘password’ as their password is staggering. Passwords should contain a mixture of uppercase letters, lowercase letters, numbers and symbols. Do no use the same password for more than one account. If you have difficulty remembering your many passwords, use a password manager such as LastPass. There is a free version available.
Passwords should be stored as encrypted values. One such encryption algorithm is SHA. It is also a good idea to salt passwords for an added layer of security – content management system WordPress does this. If you are hacked and your password list is stolen, it is more difficult for hackers to determine the passwords if they are encrypted, and even more so if they are also salted.
If you are processing personal or customer data, it is wise to get a TLS certificate, or to give it its more common, older name, SSL certificate. This protects against hacks targeting the transfer of data between the web browser and the server.
Hackers often exploit a new version of software on the day it is released. This is known as a zero-day hack. Patches are then supplied to the users of the software to close the hole and prevent the hackers from getting in again. Of course, internet security is especially relevant to the banking industry and law enforcement agencies. One of the fastest growing crimes is cybercrime, and law enforcement agencies often have cybercrime specialists.
Internet security is also relevant for personal security, especially with the popularity in online shopping. Use sites you trust, with a padlock in the browser window. This means that the site is secure. If you are in the UK, pay by credit card rather than debit card, so that if there is a problem the credit card company is also liable.
Internet security of special significance to the web developer. Do you want to be known as the web developer whose websites get hacked on a regular basis?
