Security

There are so many Web sites out there that the odds are in favor that nobody is going to try to hack yours. But the unpleasant reality is that it might happen, so you can ill afford to invest your time and money into a Web developer that doesn't have an appropriate level of understanding about how hackers work.

It is impossible to make a Web site 100.000% secure, but there are ways to improve the security to a point that it is hardly worth a hacker's effort to pursue it. Here, we present the three major areas where security considerations are necessary.

Server Vulnerability

The first line of defense is to make sure that the company that hosts your Web site has taken reasonable precautions that it's systems are immune to attack. Such precautions include:

• Use of up-to-date server software with no known security vulnerability. There is still a lot of older software in use that has known loopholes.
• The server is free from unnecessary services such as Telnet that can be used by hackers to gain a foothold.
• All directories are closed against browsing and unauthorized FTP access.

Coding Loopholes

Errors in coding of the Web pages themselves are the single greatest and least difficult means of attacking a Web site, which is a prime reason why you should select a Web developer with care.

• Query string parameters are rigorously validated to avoid two of the most common forms of attack.
• Generated HTML and Client-side scripting contain no sensitive information such as passwords.
• Java applets contain no sensitive information that could be extracted by reverse engineering.
• Cookies are used only when necessary and designed not to reveal sensitive information.
• Support files such as Java JAR files contain no unnecesary information, as this can often be exploited by hackers.
• Sessions are validated against the address of the originating computer so that hackers cannot get in and take over someone else's session.

Secure Communications

Sophisticated hackers have an array of specialized software tools available to help them in their work. One such technique is packet sniffing, which allows them to actually monitor other people's traffic on the Internet. Rather like the online equivalent of a police scanner. For this reason, it is often necessary to use equally sophisticated encryption techniques to communicate between browser and server. This is especially important when it involves personal information such as social security and credit card numbers.