Security for Web Apps

Question

I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...

• Running the app on Heroku (Ruby on Rails)
• Site is encrypted with 256 SSL (with forced SSL turned on)
• Cookies are encrypted and we pass the Firesheep test
• Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
• We do not store any keys or passwords openly in the source code but rather use Config Vars

Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.

Does anyone have any suggestions at all?

Answer 1

Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.