Learn what next steps will help bolster website security.
- Thank you for watching this course on the foundations of web security. We've covered general security principles, the importance of filtering input and controlling output and looked at some of the most common attacks. Before I leave you, there are a few additional points I'd like to share with you which do not fit neatly into the previous chapters, but which are very important. First, it is essential to regularly update all software. Security vulnerabilities are reported and patched constantly. Hackers pay attention when security fixes are released so that they can quickly use the vulnerabilities before everyone upgrades. When a new version comes out, patch immediately so that you win the race against the hackers. Second, back up your data, code, database data, configurations, assets, everything. Make automatic backups, as well as backups to an offline hard drive. is to maintain data availability. Hard drive failure, hosting companies being unavailable and ransomware where files are encrypted and unavailable until a ransom is paid are real threats. Backups make systems resilient to data loss. Third, don't forget to secure your domain. Domains can be stolen or hijacked. Use multifactor authentication for your domain registrar and wherever your DNS configuration is hosted. Use DNSSEC, short for Domain Name System Security Extensions when possible. DNSSEC is designed to protect applications from fake or manipulated DNS data. Fourth, server security is a bigger topic than what we've discussed here. While we've touched on some points, we focused primarily on developer security. The general security principles still apply, but you should also consider whether you need antivirus software, a firewall, and intrusion detection and prevention systems. Small personal websites may not need these for their threat model, but a large corporate website likely will. Finally, I encourage you to join the security community. Follow people who post about security on Twitter. Twitter is where a lot of security news breaks first. Read blogs and search for topics you want to learn more about. If you can, attend conferences where you can share and learn from the experience of others. Security threats and defenses are constantly evolving. Being part of the community will help you stay up to date on the changing landscape.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting