I'm considering designing a consumer internet product, but don't know the first thing about security. I'd like to avoid compromising my users' data, so if you can point me in the right direction I'd greatly appreciate it. Thanks!
This is a very, very deep topic.<p>Everything I know about web vulnerabilities in a sentence: User input cannot be trusted. Do I have room for two sentences? Assume every string in the application is user input unless you've got provable chain of custody back to God Almighty, who is the only entity I would trust to handle whitelisting correctly.<p>There is a regularly published list of the most common web vulnerabilities. Most have had well-understood fixes for years or decades, and will have much better developers than you or I shoot themselves in the foot today.<p><a href="http://www.owasp.org/index.php/Top_10_2007" rel="nofollow">http://www.owasp.org/index.php/Top_10_2007</a><p>Happily, you can pick some of this up as you go along, because insecure web applications (three words which could be two words without compromising informational content) can still produce meaningful business results. Don't let this be the reason you don't write something, unless something is nuclear power plant control software or the like.
here is a short list of topics that are helpful to understand:<p>threat modeling/analysis, cross site scripting, sql injection, session hijacking, database security/permissions, firewalls, intrusion detection, keeping system software up to date.