Overview
TODO: Answer the questions below to help you design needed security
features. Consider how the reusable sample text relates to your
project or prompts you to think of new ideas. Add, edit or delete
text as needed.
- What are the most important facts that a developer should know
about the security of this system?
- The first thing to understand is how user accounts
and permissions are represented inside the application. The logic
that builds each screen will be more clear after you understand how
the visibility of individual fields is controlled by user permissions.
-
The most important things for a new developer to keep in mind are:
- We have strict calling conventions in place that prevent
"tainted" (possibly malicious) user input from being
passed through to the database or echoed out on any page.
- We never write SQL code in our application source code, we
always go through LIBRARY-or-STORED-PROCEDURES that enforce
security concerns.
- Do not add any executable script to the "scripts" directory
without discussing it with PERSON-NAME first.
- The system will use SSL in production but we do our
development and testing with SSL disabled.
- Please keep in mind that we did not originally
consider security when designing this system, and we have been forced
to go back and close security holes in ways that may seem unclear.
We are trying to design more thorough and consistent security in
upcoming releases.
- What are the ranked goals for security in this system?
-
- Data security
- Intrusion prevention
- Abuse prevention
- Auditability