Server programming - Best Practices

[tbscope]

The three points you mention above are just a very very small tip of the security iceberg. They are good starting points though.

Unfortunately, securing a server is extremely hard to do and requires constant updating.

Even if you have server software, listening to one or more ports, on a hardware machine, this doesn't prevent people from trying to access other ports on that machine. These ports might not be monitored by your software.
This means that you should look beyond your own software and incorporate the complete system.

Simply locking out an IP when you think a DDoS attack occurs will not always work. Some people are smart and make a DDoS attack look like a lot of normal requests. There are just so many that the server will not be able to handle them.

Other security threats are people who have access to your software and hardware. Are they able to set up user accounts? How can you protect this?

Important is software testing. Create a comprehensive set of tests to test everything you can think of and more before using the code for real. Bugs are the number one security vulnerability. Bugs can also exist in any hardware or other software you use. Choose them carefully.

And this list goes on ...

Check google for documentation on how to secure servers. I'm sure there exist some international standards, rules of thumb and books
It would also be a very good idea to get some education on the subject. Or to hire people who know how to deal with it, which in turn is in itself another security risk.

[Affenbrotbaum]

Hey tbscope,

Thanks for the hints. It doesn't have to be Armageddon-proof, just has to withstand the regular script-kiddy. Sourcecode and Hardware access are pretty limited as well since I'm the only guy running the show as of now. That's why the testing suite is a given as well. I don't wanna run the tests again and again....

Anyways, thanks again for all the help
Alex

[tbscope]

In that case, watch the input and output carefully. Create unittests.
Also learn about all the bugs in the libraries you use.

When you sell the software or use it in a production environment, be extremely carefull that you create a contract that states that you are not responsible for any bugs or errors or ...
If that's not in the contract, you will be very poor in no time. This is not something to handle lightly.

Edit: A collegue of my discovered a nice example of a bug today. Where I work, we have to sign in via Sharepoint everyday. This means that when I arrive, I have to fill in a form that I'm at my work place, and when I'm away I need to fill in where I will be going to etc... Now it seems that there is an rss feed available and I can just open that feed in a browser and see the detailed information of all my collegues. Not something that should be possible.