Architecture for the Web/Cloud

Why design for failure when nothing fails? (everything fails...)

Build security in all layers. (do not trust)

Leverage alternative processing/storage. (redundancy pays off)

Implement elasticity. (flexibility, scalability, easy restart)

Think parallel. (decoupling data from computation, load balancing, distribution)

Loose coupling helps. (do not reinvent the wheel, use existing solutions).

Don't fear constraints, solve them. (memory, CPU, distribution, ...)

Use caching. (performance)

Design Best Practices

• Input handling validation.

• Prevent Cross-Site Scripting.

• Prevent SQL Injection attacks.

• Apply authentication.

• Cross-Site Request Forgery mitigation.

• Session management (log-out or cookie attacks).

• Protect access control attacks (admin interfaces).

• Use cryptography.

XSS (Cross-Site Scripting) attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

XSRF is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. there are many ways in which a malicious website can transmit such commands, specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site. CSRF exploits the trust that a site has in a user's browser.

• Apply error handling

• Protect against known attacks (e.g. AJAX or Flash)

• Initialize variables properly.

• Do not ignore values returned by functions.

• Avoid integer overflows.