1. HTTPS will protect your application. Just because a user’s browser displays a lock icon when they visit your website, doesn’t mean that your website is secure. HTTP over SSL (HTTPS) only encrypts the traffic between the user and the web server, which prevents snooping of the user’s traffic. It does not prevent a user sending malicious requests to the web server.
  2. A firewall will protect your application. Firewalls are great; you can lock down every non-essential port on your server. But you can’t prevent people from accessing port 80 (or 443) or you will have the worlds least-used web server. If port 80 is open, malicious requests can be sent to your web application.
  3. A locked down server build will protect your application. You can disable all non-essential services on your server, and you can run your web server or application server under a restricted account that cannot read or write to any files outside the web folder, but . vulnerabilities introduced by developers, rather than
  4. A web Intrusion Detection System will protect your application. nuh uh
  5. No one will target your application. (do you appear on a search engine?)
  6. Using off-the-shelf software will protect you. patch levels. when they go down, they go down big. Not a big fan of reinventing the wheel. common components.
  7. Writing custom software will protect you. no secure languages. secure components. heuristic attack. – I see a field



Published On: May 4, 2008Tags: ,


  1. 10redhacks December 2, 2011 at 7:17 pm

    I found your blog while i was Searching on hacks information on Google. I am very impressed with your writing skills. it was excellent and very informative. Thank you.

  2. Jack Martin March 7, 2016 at 9:11 pm

    Very informative post and it was quite helpful to me. I also wrote something similar lines on web app security testing – http://bit.ly/1ROGelm

Comments are closed.