Website security
Websites offering services must deal with vandalism, fraud and must protect customers' and company's data.
Thinking about mistakes before they happen
In any non-trivial software it's very easy to make a mistake that opens a security hole. We've got remedy for that. We're basing our websites on Topaz framework, which makes basic safety-checks obligatory, encapsulates risky database access in a safe well-tested module, and handles data output in a way that blocks entire class of so-called script-injection attacks.
Protecting against spam
Web bots that abuse comment and contact forms on websites are very common. They're trying to litter websites with their advertisements or try to find vulnerabilities in website code that would allow them to send spam on webiste's behalf.
We've developed sophisticated filters that stop such abuses and still let legitimate comments/corespondence through.
Technically:
- We use ORM and prepared statements, which protect against SQL injection attacks, that are plague of PHP scripts
- Preliminary input verification and authentication is done in a well-tested framework (see Topaz framework specification for more details)
- We don't fool around with "security by obscurity"
- We never store passwords unencrypted
- We improve accuracy of our spam filters using real-time blackhole lists (RBLs)
