Simple Web Security Design
While there are many opinions and most of the details to building with security in mind come from the logic of the programmer and their skill with the programming language, these basic guidelines are also derived from materials available from the OSSTMM .
1. Assure security does not require user decisions.
2. Assure business justifications for all inputs and outputs in the application.
3. Quarantine and validate all inputs including app content.
4. Limit trusts (to systems and users).
5. Encrypt data.
6. Hash the components.
7. Assure all interactions occur on the server side.
8. Layer the security.
9. Invisible is best- show only the service itself.
10. Trigger it to alarm.
11. Security awareness is required for users and help desks.