|
|
8.
|
SQL Injection Attacks: To thwart these types of attacks almost all interactions with the database are
performed using stored procedures. This creates a separation between the actual SQL statement and the
parameter values. This means a hacker can never breach the barrier of these two and confuse the computer
into mixing the SQL code and the parameter values. For those few instances where dynamic SQL is used it
is ALWAYS passed through a sanitizing routine that removes unnecessary SQL key words as well as
characters that could indicated that malicious SQL or JavaScript code was injected.
|
|
|
|
|
9.
|
XSS or Cross Site Scripting: To thwart Cross Site Scripting attacks (where a hacker attempts to get
malicious JavaScript code to run on your system) all user input is html encoded which converts any
JavaScript characters into the ASCII equivalent character strings which neutralizes the JavaScript
from being able to run on the system.
|
|
|
|
|
10.
|
RSA Encryption of Sensitive Data: Sensitive user data such as (first name, last name, email address,
phone number, and address) are stored in the database as RSA encrypted data. So if a hacker ever breaches
the server and somehow manages to steal the data all they will be able to see of the user's sensitive
data is encrypted strings. The RSA encryption procedure uses a public and private key methodology. The
public and private keys are stored in a separate database on a different machine so there is a separation
of concerns of the two data stores.
|