System directory

The (generically titled) "system" directory of your website or web application should be the one containing all the scripts required for system administration, completely separated by all other files. To achieve maximum security in this regard, here are some important guideliness:

The need for website security

Website defacement

You may be developing a simple, straight forward personal website, containing information that's both public, and easy to back-up, and so implementing proper security measures doesn't present much interest. However, no matter how simple or low-value your system is, it is definitely not your intention to have it defaced by hackers. Failing to secure your website guarantees that, sooner or late, it will be defaced, if only for the lulz. Happened to me? Oh, yes.

web security

Common security mistakes

Stupid mistakes

Stuff you have no excuses for, no matter what you may come up with. I know, you're so above and beyond this, but simple things are often the easiest to overlook, and when they go wrong they tend to do the greatest damage. Before pondering on which encryption cipher to use, make sure you've got these covered.

Security risks and threats

Social engineering

This was the singlemost effective tactic Kevin Mitnik used, according to himself. The name sounds cool, but it really is about getting people to spill the beans and give the attacker security sensitive information in the old fashion way, that only requires people skills (as opposed to advanced computer hacking skills).

Secure your code: general principles

Some of de most basic and useful general principles of programming must be applied when approaching security matters in your code.

Food for thought

Security is imperfect

Just like anything else, all security mechanisms are inherently flawed, the only thing that separates good security from bad security is the degree of work an attacker has to do in order to by-pass it. A security mechanism cannot be perfect, but it has to be at least good enough for the purpose.

Layers and levels of security

Layers of security

A well conceived security system operates on different layers, hence reducing the chance of complete and catastrophic breach when one layer has failed. It doesn't mean that isn't still possible, just that the chances are significantly reduced by putting the burden of security on more than one subsystem, on more than one level.

Secure the database server

The MySQL server has its own security mechanisms in place, via user-based access, as far as table level, with per-operation authorization (you can grant access to a certain table only, to a certain user, only allowing SELECT operations).

Secure the web/FTP server

The web server software configuration is largely managed by your web host. They are the ones responsible for the "general" securing of the web server. However, that does not mean (at all), that your system, whose interface is output by the webserver, is automatically secure. That is why you need to take extra steps to secure your system, using what the web server has to offer. Some of these may seem childishly obvious or simplistic. Regardless, just make sure you have it covered.

Secure PHP

For the purpose of this tutorial, the PHP engine provides the development environment. There are many features of it that present significant security risks and should be disabled. Lately, they are disabled by default in the newer versions on PHP.