I’d be remiss if I didn’t spend at least a little time talking about the major security overhaul that happened in Nova.  While most of it is under the hood and handled by CodeIgniter, we’ve taken our own measures to secure your site even more than SMS.  Security starts with the foundation and we’ve chosen a framework that, while fast, put security at a premium.

At the very base, it starts with comprehensive SQL injection protections to make sure a malicious user can’t destroy your database from the outside.  Using CI’s built-in Active Record database class, we’re assured that all inputs are properly escaped before any attempts are made to put them into the database.  Anodyne focused heavily on this type of vulnerability in SMS 2.6 (and subsequently dropped support for SMS 2.5 because of the same issue) and using the framework’s built-in tools has allowed us to maintain protection against such attacks.

One area that received a lot of attention as well is in the area of Cross Site Scripting attacks (XSS).  Some of the most common vulnerabilities in web applications are their vulnerability to XSS attacks.  Again, we relied on CodeIgniter to do the heavy lifting here with a whole slew of XSS filtering done before any data is handed to the database.  This helps us ensure that all of your information and your database is safe!

A final item we addressed during the course of development was brute force attacks.  Hackers will sometimes set up servers to cycle through a dictionary and attempt repeated logins of a web application in hopes of finding a username and password they can use to get in.  Not only is that a drain on server and network resources, but it potentially exposes your data to hackers if you don’t have a very secure password.  Nova addresses that issue head on by limiting the number of logins a user can attempt to 3.  If there are 3 unsuccessful attempts, the system will lock the user out for 30 minutes before they can try logging in again.  It may seem annoying if a legitimate user runs in to this, but in the long run, it’s worth it to prevent hackers from brute force hacking your site.

As you can see, security was a pretty important issue for us, but we wanted to make the additional security as transparent as possible.  We don’t want the system prompting you for everything it has to do; it should just be secure from the start and that’s been our goal since day 1.