I've done a website for a bank. The one I worked with already had a vendor for online banking, so I just used that vendor's pre-made code to integrate online banking.

Beyond that I made sure that the bank website used an SSL certificate (which was a bit of a weird one to set up because they have their own internal network and network staff), made sure I could provide hosting that was compliant with security & auditing standards like SAS 70, etc.

On the CMS end I took every. Single. Security precaution I could. But if the website I created for them is ever hacked, the hackers won't have access to bank account records, since that's done by a separate vendor with their own security team.

Overall it was a big undertaking and I learned quite a bit. But it's not like I'm their online banking vendor, so the security isn't nearly as important as it would otherwise be.
posted by circular at 2:29 PM on November 30, 2010 [1 favorite]

The single best thing you can do to secure a website's communications is run it over SSL. Your traffic is encrypted beyond Generally Available means of snooping. Your clients are still vulnerable to man-in-the-middle attacks, but those are difficult to accomplish on a large scale.

Mind you, this won't protect the integrity of a site's data, which needs to be locked down via code (for example, preventing harmful input that "injects" bad code, via URL's or form inputs) or network security (key-based authentication, restricting access via port/ip, etc.). On that front, if you're using someone else's software, the single best thing you can do is make sure you stay up to date with patches. Blog/CMS software like WordPress is regularly compromised and, in turn, patched. The second best thing you can do is disallow anonymous posting and require some kind of hurdle during registration (CAPTCHA, email verification).

Large companies often hire external security firms where White Hat try to infiltrate your system and report on vulnerabilities they find. Really large companies have internal teams to do that.
posted by mkultra at 2:30 PM on November 30, 2010

Actually, the single best thing you as the operator of a website can do is make sure that any admin passwords are (a) strong, (b) not obvious, and (c) not stored in readable format anywhere. Passwords should be stored as hashes, and compared against hashed input.

Human Engineering remains a distressingly viable means of hacking. There are still plenty of systems with sensitive data out there that can be accessed with passwords like "password", "admin", the name of someone's wife, etc.
posted by mkultra at 2:44 PM on November 30, 2010 [1 favorite]

If you have a few weeks to spare, you could just sit and read all of OWASP.
posted by robertc at 2:54 PM on November 30, 2010

The Ruby on Rails site has a pretty good overview of web app security problems and fixes; the code samples are for Rails but the concepts are generally-applicable.
posted by letourneau at 2:59 PM on November 30, 2010 [1 favorite]

Seconding both mkultra's points. I'd add cgi injection, but the main thing is to allocate time to just do the right things. It's an ongoing project, I have no idea what the attack of the day is but it will be something else next week. Find the right balance, too much, say forcing admin passwords too often will defeat as thing will get written down.
posted by sammyo at 6:29 PM on November 30, 2010

This thread is closed to new comments.