As a corollary then (given that the information has to be stored by the code that saves it and the locations of the code will be in the web server configuration)

2. Remove all searching tools from the server

And of course to help minimize the hack target area...

3. Don't run services you don't need.

4. restrict permissions on the data

5. after the horse has bolted but still helpful - encrypt all password and user name data

6. Don't store data you don't need to store or for longer than is legally required.

7. Monitor your services logs on a regular basis.

8. Consider restricting access to services to one or a very limited number of IPs.

i dont know if this is true, but i heard that the info Sony held wasn't even encypted.

Rule #9: encrypt sensitive data so even if it does get stolen, it's still useless.

>>Rule #9: encrypt sensitive data so even if it does get stolen, it's still useless.

cough ... 5

So then, :-)

9. Cleanse all input via forms **or query strings.**

10. Log everything. Server logs aren't enough. Any script that accepts user input should store a record of precisely what is being input or requested somewhere, without exception.

11. Be wary of anything open source. It's easy to download and install free open source programs, but understand what they do, investigate their vulnerabilities.

12. Related, when downloading free apps, RTFM, RTFM, RTFM!! *Especially* in respect to best security practices. I can't count the new clients I've taken on that still have their setup directories in place (all someone needs to do is re-run it to bork their site,) or configuration files with world-write permissions. Follow every security recommendation.

13. Also related, run those software updates. It's annoying and a pain, but they don't update them just for cool stuff, they update them because vulnerabilities are revealed.

14. Don't use stupid passwords. This seems obvious but it is RAMPANT.

15. Change passwords OFTEN.

16. Don't use straight FTP.

Encrypted data isn't necessarily useless. It's still possible to crack the encryption. In fact, some believe that the Sony data may have already been cracked.

[pcworld.com...]

...didnt notice you already said it topr8

17. pay more attention to stuff that people have already written

^ ^ ^ That's actually gold . . . there is so much to learn from those that precede us.

18. Replace search boxes with dropdown lists if the choices are limited. Set up an array to whitelist the possible choices and send anything else to 404. That way anyone trying to manipulate a url's parameters gets nowhere. My logs tell me that Google does limited testing of random variables on any url that has parameters which might mean it's a ranking factor.

I hate pages that I can change a parameter and add "XYZXYZXYZXYZ" and the page then says "Buy your XYZXYZXYZXYZ here", lol. Google's watching that too.

19. Don't store data in locations with obvious names.
Call /admin/ ... /tomatosoup/ or anything else you fancy except admin

<cough> #1. :-)

<cough> #1. :-)

Not really rocknbil, to me #1 obvious location is a subdirectory of the root whereas you should store your data outside the root folder.
I merely added, if you don't have that option then don't call your subdirectory something obvious ;o)