Stuff you have no excuses for, no matter what you may come up with. I know, you’re so above and beyond this, but simple things are often the easiest to overlook, and when they go wrong they tend to do the greatest damage. Before pondering on which encryption cipher to use, make sure you’ve got these covered.
- sticking your FTP/website admin credentials on a post-it on your monitor
- keeping any admin credentials in a plain-text file on your webserver, which, when accessed, will not undergo any server-side processing (such as happens to a PHP script), but will be simply displayed in browsers
- letting your sensitive directories (containing sensitive administrative data) be accessed from the web, including as indexes
- diluting security of your admin credentials by holding them in potentially insecure online storage, such as your own email inbox, in plain-text
- using poor admin credentials, such as an easily guessable admin user name (“admin”, “administrator”, “webmaster”, “root”, etc.) and a weak password (i.e. short and lower case letters only)
These are mistakes you may be able to justify, both with technical reasons or user experience issues. However, this doesn’t mean you shouldn’t strive to correct them.
- not having a strongly separated administration front and back end, in terms of directories/URLs on your website, sometimes due to limitations of the software (i.e. CMS) you happen to be using
- having an “administration” directory or URLs with an easily guessable name (“system”, “admin”, etc.), due to limitations of the software or your own neglect
- not protecting all your directories against “index” display, due to lack of .htaccess support and/or lack of access to the webserver configuration, or due to software limitations, or due to your neglect in putting an index.html file in your directories
- not making your critical files, storing admin credentials, inaccessible from the web and read-only (and only by owner)
- allowing users to choose weak passwords, to keep their user experience on the light side
- not having clearly defined user level/roles
- confusing authentication with authorization
Elusive security mistakes
This class of mistakes is the hardest one to deal with, and it contains issues ranging from purely logical failures in the design phase (i.e. failing to realize some things are not implicit), through the programming effort itself (i.e. bad programming practices or outputing debug messages to browsers), and to programming language and server bugs. Therefore, they are usually quite unspecific and cannot easily be enumerated in a short list.
In the following chapters, I’ll try to give advice and solutions to at least some of these issues.