Web security: misc

Thirteenth post in the web security series.

This post is not about the magazine MISC but some more random stuff for web application security.

• Keep everything up to date (your servers operating system, the softwares, libraries and frameworks the application is using) and replace unmaintained softwares. There are flaws in all softwares, if you don't keep them up-to-date somebody will use thoses flaws against you. And you have to apply security patches quickly.
• Don't ask your users to give you data that you don't need. The fewer sensitive information you know the least valuable target you are.
• Encrypt your users data if you can. They trust you with the data they give you, do your best to protect them. In case of a breach, retrieving the data will be harder for the attacker.
• Regularly do security audits on your systems:
  • With automated tools.
  • With IT security consulting companies.