I am doing a minor project on information security in which i am implementing techniques listed below to protect a HEALTH CARE database.
- Preventing SQL Injection (using prepared statements,validating,using a tokenization algorithm)
- Preventing CSRF attack (inserting a hidden token in the form)
- Preventing Brute Force attack (locking account after 5 unsuccessful attemts)
- Preventing XSS
- Validating every input
- Initiating Session only on cookies
- Implementing negative database.(http://en.wikipedia.org/wiki/Negative_database)
- Encrypting Confidential Information
- limited privilege for every user
EDIT I am also implementing these points which i dont post earlier bcz i thought they are less important. but the answers here clearly shows the importance of these points:
- Audit Log
- Strong password
- Secure connection using session_set_cookie_params
- Access Control
So now my question is- Is there anything left that i m forgetting?? i know a few of them like security on network layer etc. I am running my project on localhost so i think i cant do anything on network layer.