When you're discussing the Internet, security should be the first thing that comes to mind. Unfortunately, security is an extremely complicated issue - even security experts cannot be 100% sure that their network is secure. At most, you can hope to reach a state where you feel comfortable about your network's security.

Now, granted that security poses a distinct challenge, it clearly becomes the priority in your network and application design. Security can be divided into three categories: 1) network, 2) server, and 3) application. For network and server security, installing a quality firewall and hiring a competent system administrator can go a long way towards making you feel comfortable.

Application security, however, is not so easy. Generally software must undergo a series of audits and "trial by fire" before it can be considered anywhere near safe. And even then, some exploits or bugs in the software may go undiscovered for years.

The point is that it takes years for application software to gain the comfortable level of security that is appointed the most secure applications. With that in mind, it makes sense to base your design on fundamental security concepts.

Some quick rules of thumb:

• Always verify any data sent from a client for size and type.


• Be extra careful with scripts that talk to databases - don't give the web server any more permissions that it needs.


• Any file operations done by the web server are high risk. Verify that your permission structure does not grant any unnecessary permissions which could be exploited to damage the system.


• Avoid executing shell commands at all costs.


• Never send clear-text passwords over the network. Use encrypted connections, with ssh or ssl, whenever sending important information.

OK, more on that later, next, we'll talk about maintainability, or, where you are going to spend your time and money.

What's the number one cost in web design? Is it planning the application? Is it building the application for the first time? Is it the cost of the server or the connectivity?

Actually, it's none of these things. The highest cost will be maintaining the application. This is in contrast to traditional systems design, where a majority of expense is in the systems understanding and analysis.

Why the difference? With traditional systems, an application has a typical lifetime of 2 to 4 years. Once the application has reached a stable configuration the design effort is all but finished.

On the other hand, the dynamic aspect of the web makes most applications outdated in months rather than years. Improvements in existing applications are continuous, new content is expected, new technologies appear on a regular basis. A web application must improvise or be replaced. Another way to put it is that web software is in a continual prototyping process - user feedback and design demands are much more prevalent than in their traditional counterparts.

The fact remains that your software must be frequently modified and updated. Realizing this at an early point in the design phase is crucial to making maintenance easier in the future. Trust me, I've learned the hard way.

Build customization variables into your code. Separate code and content. Use templates. Use style sheets. Make the language of your site customizable. Develop a common coding style and stick with it. Comment your code well.

To put it simply, you can do what we do, and build everything for distribution. It may seem like an unnecessary investment of time and resources if you a designing for one customer only, but, trust me, when the client starts asking you to make changes, you'll thank me.

Next, we'll take a trip to the other side of the application: the user ...