The Prison Theory of Web Development & Security
Just like in jails and prisons, all it takes is one second for someone to wreak havoc on your server, or worse, on others by gathering unsecured personal data. A breach that ends up costing far more than it would have to fix the problem initially.
To continue with his Prison Theory of Web Development Security article featured in Website Magazine's January 2013 issue, author Michael Stowe offers the following principles for security.
Keep Your Visitors Secure
One of the key responsibilities of jails and prisons is to keep the inmates safe. Now that they have been secured, they are the responsibility of the prison. The same goes with your Web users.
Once a user has logged in, it is vital to keep the information they give you secure. Like a prison, you should monitor other visitors to ensure that they are not trying to pass malicious data or attack your visitor, most commonly through cross-site scripting (XSS) or session hijacking/ fixation.
Like in a prison, if you suspect your visitor is potentially at risk, immediately move them to a more secured area. For example, in the case of a session attack, prove them with a new session ID or log them out completely.
Keep Your Visitors in the Dark
In jail, often times the inmates are kept in the dark. After all, you wouldn’t want to tell an inmate that a rival gang member has just been brought in, or that you plan to shake up and search his cell in an hour. You also don’t want them knowing your weaknesses. So why do we do this with our websites? All too often when a website breaks it gives the user a complete breakdown of what happened. The user doesn’t need to know what function was called on what script that generated an error, all they need to know is something went wrong.
In other words, keep your users in the dark. Only tell them the things you want them to know.