How to improve Website Security?

[HelpSecure]

Hey,

I am a newbie to most internet security issues but I have a small start up website and I was wondering if there was a way to stop hackers? Is there a way to stop hacking techniques such as Sql injection, cross-site scripting, brute force attacks, functional and navigational abuse, Http response splitting?

I am somewhat familiar with web application firewalls and vulnerability scans.

Thanks

-HS

[SirDice]

Is there a way to stop hacking techniques such as Sql injection, cross-site scripting, brute force attacks, functional and navigational abuse, Http response splitting?

Two words: code auditing. Preferably done by someone experienced. Rule of thumb is to NEVER trust ANYTHING sent by a client (browser). Filter on the stuff you want/need and remove everything else.

I am somewhat familiar with web application firewalls and vulnerability scans.

Firewalls won't help you as you need to punch a hole in it to allow traffic to your site. Vulnerability scans will only show you the most obvious failures.

[ByTeWrangler]

Two words : Input Validation

[The-Spec]

A Waste of time considering you can get rid of entire features in php. Then you can prevent XSS issues and people from brute forcing web forms with maybe a three to eight line function in your scripts.

[nihil]

The first thing to do is make sure that you keep your software up to date and apply all security patches on a timely basis.

You don't say, but if your site is hosted by a third party you need to be sure that they keep their hosting environment up to date as well. Plenty of big names have been embarrassed because their service provider let them down.

As soon as a security patch is released it is safe to assume that there will be people out there writing exploits for the vulnerability (if they don't already exist) and looking for the low hanging fruit who were slow on the uptake.