lonecrow.net logo
Home Consulting Services ISP Services Portfolio Testimonials Contact Us

Website Checklist: Security

Back to index

Evaluate your commercial website and be successful.

For your website to be successful you must know who your intended website audience is, what the goal of your web site is, and how the attainment of that goal will be measured. Without this knowledge, it will be hard to achieve success.

Security, Compliance & Monitoring



SQL injection
SQL injection is a method that hackers can use to compromise a web site and potential cause great destruction the the sites database or to gather sensitive data about your company or your clients. Sites MUST be audited to ensure there are no SQL injection vulnerabilities. The only websites on my server have been authored by me and are subjected to regular auditing for SQL injection.

Cross site scripting
Cross site scripting is another method used to compromise website security. Websites on my server are subjected to regular auditing for Cross site scripting.

Sensitive data
Sites should be audited to ensure that sensitive data has not made it onto the public site. Google can be a great tool for this, check out johnny.ihackstuff.com for a great list of Google hacks. Warning! It's scary seeing the kind of sensitive information companies let leak onto the web.

Privacy
Even if you don't collect any information via a web form you are still collecting data on your visitors. Their IP address, date and time of visit, pages viewed, etc are all collected in a log file. A policy should be in place to inform visitors how this information will be used. In many countries there are legal compliance issues that must be addressed Canada Privacy Guide. Sites should also include a compact privacy policy (P3P)

Error Notification
I have written a custom error trapping and reporting system. If a visitor should encounter a "technical" error on your site (500 error) the information about the error is collected and sent to me immediately. No information that could be useful to hackers is displayed on the screen. If I visitor encounters an error I want to know about it and correct it ASAP. The same is true for the server as a whole, in addition to active uptime monitoring by my service provider I am alerted should any key state of the server change.



next page
An excellent colaborative checklist can be found here

tree image