When you're discussing the Internet, security should be the first thing that comes to mind. Unfortunately, security is an extremely complicated issue - even security experts cannot be 100% sure that their network is secure. At most, you can hope to reach a state where you feel comfortableabout your network's security.
Now, granted that security poses a distinct challenge, it clearly becomes the priority in your network and application design. Security can be divided into three categories: 1) network, 2) server, and 3) application. For network and server security, installing a quality firewall and hiring a competent system administrator can go a long way towards making you feel comfortable.
Application security, however, is not so easy. Generally software must undergo a series of audits and "trial by fire" before it can be considered anywhere near safe. And even then, some exploits or bugs in the software may go undiscovered for years.
The point is that it takes years for application software to gain the comfortable level of security that is appointed the most secure applications. With that in mind, it makes sense to base your design on fundamental security concepts.
Some quick rules of thumb:
• Always verify any data sent from a client for size and type.
• Be extra careful with scripts that talk to databases - don't give the web server any more permissions that it needs.
• Any file operations done by the web server are high risk. Verify that your permission structure does not grant any unnecessary permissions which could be exploited to damage the system.
• Avoid executing shell commands at all costs.
• Never send clear-text passwords over the network. Use encrypted connections, with ssh or ssl, whenever sending important information.
OK, more on that later, next, we'll talk about maintainability, or, where you are going to spend your time and money.