24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

Author: Michael Howard, John Viega, Visit Amazon's John Viega Pagesearch resultsLearn about Author CentralJohn Viega
This Month Stack Overflow 1


by anonymous   2019-01-13

Imagine if you hired an electrician to rewire your house, and he showed up with no training and no tools, and he said, "I wonder how I can do this without making your house burn down, LOL!"

You would probably be uneasy about his lack of experience, and you'd be reluctant to let him try. He should instead go get some schooling and work as an apprentice to an experienced electrician for at least a few years until he learns how to do electrical wiring safely.

Frankly, you are not ready to implement a site that takes payments if you're asking beginner questions like "What should I do to avoid being hacked?"

Security is not achieved by using the "right language." It's the developer who uses the language either in a secure or insecure way. Every language can be used to develop a secure site, or else misused to develop an insecure site.

Here are some recommended resources for an introduction to software security:

I agree with the comment above that taking payments is serious business. If you are hacked, you expose yourself to a lot of personal liability. That means you would have to compensate the people who lost money due to your hacked site.

I'm a software developer with many years of experience, but if I were starting a website, I would not want to take the risk that I do something wrong. I would rather spend my time on my own code and business value.

There are now services that will do payment processing for you. You can call their API in your own code, and just ask them to process payments for you, with assurance that they have developed their payment processing with expert-level security and full regulation compliance.

Here's some references that list payment processors that support your country, Turkey:

  • https://www.analyzo.com/search/Payment-Gateways-Turkey/311
  • https://www.shopify.com/payment-gateways/turkey
  • https://www.thepaypers.com/payment-service-providers/turkey/19
  • https://www.shopio.com/payment-gateways/

I have no experience personally with any of the payment processors, so I can't recommend which one will work for you. You need to read about their features and fees and decide for yourself.

Also, you should still learn about secure web programming. You're still responsible for the security of your site. You need to make sure someone can't hack into one of your users' accounts and start a payment transaction in their name, for example. But by using an API, at least you don't have to do the payment part yourself, which is much harder.

by anonymous   2018-07-19
There are other security issues unrelated to databases that you need to educate yourself about. Visit https://owasp.org for information, or read a book like [24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them](https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751/). There's too much information for a Stack Overflow answer.