Wednesday, November 4, 2009

The Security Process

Security is about more than just the technology involved in the site you're building. Most of the time, security is a process and not a just one stage of the design. When it comes to creating an e-commerce site, there are certain things you should do to make the site less prone to unauthorized compromise. (which is just a fancy way of saying you don't want John Q. Hacker getting his hands on your customers sensitive financial information.) For example, you might restrict network access on your database server so it can only be accessed remotely from the servers running your application, reducing the likelihood that the guys will be able to mess with your database directly.

But this is just the first step. The Great Wall of China was erected to keep the Xiongnu out, but the Chinese did not merely build the wall and then expect that the structure alone would suffice to keep their border secure. They had to keep it manned, making sure there were Chinese guards stationed in watchtowers at periodic points, actively monitoring for potential intruders.

You can put up a firewall, but that's just the first step in defending against network attacks. You have to be much more proactive. Know the kinds of attacks might be brought against your web application, identify the red flags associated with each, and set up your system so you'll be alerted in case your system detects the signs of the attacks. Be ready with a response plan.


  1. Will this be covered in the book? I was really excited to run across it on amazon.

  2. Hi John is dope,

    There is a chapter on security in the book, but it's more at the web application level and less about securing the web server. If you're looking for a good resource on this, and happen to be using Apache as your web server, then definitely look at "Apache Security". It's an O'Reilly book, and covers a broad spectrum of potential attacks and effective defenses. I found it very helpful. Here it is:

    If you do end up reading my book on Django, let me know what you think of it. Thanks!