Implementing security

There are two main ways to implement security in a system. They should always be used together, for reasons that will become obvious.

Diabetes and over 50? Be aware of a Silent Heart Attack

Dr. Bimal Chhajer in his book "Heart Attack" writes about a diabetic male patient, 55 years old, who noticed some breathlessness on the way to his office. After consulting his physician and routinely passing the ECG exam, it showed that he was just experiencing a silent heart attack. In such moments every second counts, so he was rushed in the emergency room immediately.

silent heart attack • myocardial infarction • MHA

Storing credentials: the vault directory

Where do I store my database credentials?

There comes a point, in security matters, when developers run into the age-old question: "Who was first? The chicken or the egg? Or the hen? Perhaps the fowl?"

System directory

The (generically titled) "system" directory of your website or web application should be the one containing all the scripts required for system administration, completely separated by all other files. To achieve maximum security in this regard, here are some important guideliness:

The need for website security

Website defacement

You may be developing a simple, straight forward personal website, containing information that's both public, and easy to back-up, and so implementing proper security measures doesn't present much interest. However, no matter how simple or low-value your system is, it is definitely not your intention to have it defaced by hackers. Failing to secure your website guarantees that, sooner or late, it will be defaced, if only for the lulz. Happened to me? Oh, yes.

web security

Common security mistakes

Stupid mistakes

Stuff you have no excuses for, no matter what you may come up with. I know, you're so above and beyond this, but simple things are often the easiest to overlook, and when they go wrong they tend to do the greatest damage. Before pondering on which encryption cipher to use, make sure you've got these covered.

Security risks and threats

Social engineering

This was the singlemost effective tactic Kevin Mitnik used, according to himself. The name sounds cool, but it really is about getting people to spill the beans and give the attacker security sensitive information in the old fashion way, that only requires people skills (as opposed to advanced computer hacking skills).

Secure your code: general principles

Some of de most basic and useful general principles of programming must be applied when approaching security matters in your code.

Food for thought

Security is imperfect

Just like anything else, all security mechanisms are inherently flawed, the only thing that separates good security from bad security is the degree of work an attacker has to do in order to by-pass it. A security mechanism cannot be perfect, but it has to be at least good enough for the purpose.

Layers and levels of security

Layers of security

A well conceived security system operates on different layers, hence reducing the chance of complete and catastrophic breach when one layer has failed. It doesn't mean that isn't still possible, just that the chances are significantly reduced by putting the burden of security on more than one subsystem, on more than one level.