• 
  • see the work
  • industries
  • awards
• 
  • news
  • leadership
  • culture
  • contact
  • locations
  • jobs
  • process
• 
  • strategy
  • digital marketing
  • social media
  • mobile
  • creative
  • technology
  • hosting
• 
  • about
  • mail
  • events
  • news/blog
  • recruit
  • content
  • lists
  • taxonomy
  • workflow
  • forms
  • portal
  • search
  • powerstats
  • stats
•  

• strategy
• digital marketing
• social media
• mobile
• creative
• technology
• • architecture
  • authentication
  • content management
  • crm
  • custom development
  • ecommerce
  • extranets
  • intranets
  • legacy connectivity
  • mobile
  • portal
  • rich media
  • search / knowledge management
  • social media
  • web application security
• hosting

Saying, "Security can be put into the application after it's finished" is like saying, "I can swing for a home run after I hit the ball." If security is not built in from the design up, it will be poor at best. When you're talking about Single Sign On (SSO), you're also talking about encryption, transport layer security, authentication hardening, and session management. When you're talking about database security, you must include encryption, infrastructure hardening, intrusion Detection/Prevention systems (IDS/IPS), input validation, and administration policies in the conversation.

Database security

While most database server applications are designed to be secure by default, they all have customizable features that further increase the degree of protection. Acsys has a set of best practices for securing our database servers and data. We bolster these best practices with an array of hardware protection layers including IDS/IPS systems, and database firewalls.

General application security

On the surface, basic application security may seem easy, just validate your inputs. Ok, what's an input? Obviously the textboxes. What about the hidden fields? And the QueryString variables? Did you remember the cookies? If it's a .NET application, what about the ViewState? Did you know that even drop down boxes and radio buttons can be forced to contain unsafe data? How do you protect against known attack keywords while still allowing valid input which mimics an attack? (e.g. "dear 'company'; delete my last order from your system -- i didn't mean to hit the button. i think it should really alert you onclick that you're about to do something."[sic]) That's just the beginning.

There is help. OWASP and their Top 10 list are good resources. Additionally, Web Application Firewalls can help mitigate those security holes you didn't know you had. But in the end, there is no substitution for knowing and understanding how the flaws can be used to compromise a system and how to prevent them from in the first place.

It's a daunting task at first, but we have the knowledge, proper libraries and best practices in place. We find it's a lot easier than re-writing large swaths of an application from scratch after it's too late.

Want to learn more?