So you think your web-app is secure? #3
January 16th, 2008At the first post on this topic I wrote a list of known vulnerabilities of a typical LAMP web-app. Plan is to investigate where exactly does each of them apply to the web-app I am making more secure and patch them.
In the process I realized that there is another perspective/question here that is also very important. One is to fix “all” the holes, but you also have to ask yourself.
“What am I really trying to prevent here?”
In our case. We need to prevent anyone getting to (identifying) personal information of the users. That is the most important thing and all others are magnitudes of less important. Every other data we hold, if it gets “stolen”, meh.. if they delete, change it, we have the backups. But the privacy of the users is sacred. Too bad I can’t say what exactly we did now in this regard.
The analogy is this. You have area of people infected with some virus X. You can put roadblocks, test and disinfect all outgoing people, spray their cars, forbid mail communication, put fences to prevent wild animals to spread it but sooner or later something will get through. Or you can focus on a virus and find a way to prevent itself from spreading.
You can try to prevent the problem to get “out” , or you can try to remove the problem in the first place
Well, nothing is as perfect as theory so we do both.