According to a report published in the "Network World", the biggest vectors for web hacking in 2009 were social networks, SQL injection, cross-site-scripting, authentication abuse, and cross-domain-request-forgery.

The concern about social networks is something I've written about before. I use twitter to announce my money making projects, linked-in to outline my professional achievements, and face-book to socialize with others. However; I do not tweet my intimate thoughts, put a detailed resume on linked-in, or reveal anything too personal on my FB wall.

Everybody on FaceBook should visit the permissions page under 'account' and rearrange them as needed. The default permissions are too lenient and mine changed when FaceBook changed their policy in December of 2009. My suggestions are that "everybody" only gets a very limited and benign overview of you, and everything else is only for my friends or me. Everybody can see my email address, only my friends can see my wall posts, only my family can see my birthday, and nobody (only me) can see my personal political/religious views.

SQL injection, cross-site-scripting, and cross-domain-request-forgery are all mistakes made by the development team. If programmers would pay attention then most of these flaws would go away.

There is the issue of people wanting to open their site too much to the world. Unfortunately, the world doesn't always play fair and you have to be ready for the shenanigans others will pull if you allow them. If you are going to open your site up to allow guests to leave comments or other material on your site then at least make sure they can't leave dangerous HTML tags in the mix. You might even ban the use of HTML tags all together.

Giving account holders too much power only aggravates authentication problems on the site. Now, the ideal situation would be to put all users under the same control you should already have the administrative staff under. But there are users who will make their life easier by reusing old passwords, not renewing their passwords now and then, and using short/easy-to-remember and easy-to-guess passwords. Last year 33 high profile Twitter accounts were compromised when a member of the Twitter administrative staff used a super weak password.

See the Feb 22, 2010 report at Network World by Ryan Barnett here: