- Always keep your third party software up to date.
- When passwords are posted, always do a redirect. Even if the password is wrong.
- Don’t leak information.
- Apply authorization to all non-public functions.
- Always apply HttpOnly and Secure flags on cookies if possible.
- Renew tokens on login and make them sufficiently random.
- Passwords are hard! Check best practice for storing, changing, resetting, remember function, etc.
- Check authentication on every page after login.
- Apply anti-CSRF tokens or similar measures when forms are posted.
- Prevent XSS by
- Validating input
- Output encode all user input for correct context
- Use content-security-policy header if possible
My advice on how to prevent disaster:
- Educate your developers and testers
- Educate support on response and escalations
- Use security testing tools: Fiddler, ZAP or Burp, sqlmap or Havij, code analysis, third party version scanners etc
- Security test of new and existing features
- Log alerts, detect suspicious activity
- State how vulnerabilities can be reported
- External test or audit
- Bug bounty program
Final words: Hack you own systems. Assume that users are evil. It just takes one evil user. Know your enemy. Know the tools and techniques that hackers use and what they are looking for. Find and fix the vulnerabilities before someone else does.