It is currently Fri Oct 31, 2014 6:33 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Web security project
PostPosted: Sun Nov 17, 2013 5:28 pm 
Offline

Joined: Tue Jan 22, 2008 9:47 pm
Posts: 196
Location: New York
Hi everyone.
I have a tough project and would greatly appreciate any advice or input. I do not expect any work to be done for me, just would like some links or tips.

I am setting up a hypothetical online wine store and need to provide the following information.
Purchase of domain
Server purchase and set up
DBMS (setup, maintenance, access and security)
Web security testing (process, policy and tools to be used)
Web services used (include those available to mobile users)

This is a web security class so the main focus is on how to make the website as secure as possible. The domain is easy enough. However I am having some trouble finding information how the DBMS, web security, web services parts.
If anyone has any experience that they could offer me including Tools, standards, protocols, etc., that’d be amazing.
Thanks

_________________
Antec P180B|Asus P5B Deluxe/Wifi|Intel Q9550 (2.8) w/ Kingwin 12025| Dominator 4gb + 4gb XMS2 @667|nVidia GTX 260|Seagate 200gb 7200.10|WD 6400AAKS | WD 1tb | Sandisk Extreme 120gb


Top
 Profile  
 
 Post subject: Re: Web security project
PostPosted: Sun Nov 17, 2013 7:52 pm 
Offline

Joined: Thu Nov 19, 2009 10:20 am
Posts: 484
Location: Ottawa
Without a lot more detail on your code/language/db/versions etc I can only give some generalized advice. You have two areas here that both need to be secure: infrastructure and code. I am a sysadmin who runs some fairly big websites so I can only comment on the infrastructure part. I do know quite a bit of the code side, but that is not my area of expertise.

- Follow the principle of least privilege. Only give as much access as needed, never more. Your website does not run as root/admin or have access to anything on the server it does not need. The DB login is not root/sa, give it the specific permissions to only the tables it needs. This is one of the biggest problems I see, many admins giving root/admin because it is "easy".

- Make sure you have good strong passwords on everything. Use SSH public keys if applicable.

- Have a good firewall setup, ideally separate from the server. The only thing that should be accessible to the public are the web ports. Admin ports (SSH, RDP) should be restricted to only required IPs. The DB port should NEVER be open on the public internet. Ideally the DB should be on a separate server that is only on a private network, but in small setups that is not always practical. Other services like caching, logging etc should be private as well.

- Make sure everything is up to date with security patches and keep things up to date. This is not always the same thing as running the latest version.

- I know this is just a project, but ideally you should have a test server where you can make changes and test their impacts before being put into production. Always have a backout plan for any changes. Test the plan.

- Since you are working with payments look up and follow PCI (payment card industry) standards. Not fun.

- Look up security scanners/penetration testers. Use them. Which one is best depends on what exactly your site is doing and how it is built.

- Look up the best practices for security in the language you are using for your site.

- Only bite off as much as you can chew. If you are a developer and not a sysadmin get one to help you or use a managed service which does much of the work for you. I don't expect the developers where I work to manage secure infrastructure and they don't expect me to write secure code.


Top
 Profile  
 
 Post subject: Re: Web security project
PostPosted: Sun Nov 17, 2013 8:53 pm 
Offline

Joined: Mon May 16, 2011 11:23 am
Posts: 681
Location: Germany
I'd point you at some shop software packages, because why doing it all from scratch if a few dollars yield a fully funktional system including basic security considerations.


Top
 Profile  
 
 Post subject: Re: Web security project
PostPosted: Sun Nov 17, 2013 11:16 pm 
Offline

Joined: Tue Jan 22, 2008 9:47 pm
Posts: 196
Location: New York
Thank you Washu. It's just a report and presentation. I don't know what code/language would be best. I don't have prior experience and this class didn't really cover the differences other than that some are used in some tools. Thank you for the advice so far, it's been useful in my initial draft.

Pappnaas, that'd be great. I already "chose" to use Amazon's AWS service for servers since are supposed to do the patches and updates themselves.

_________________
Antec P180B|Asus P5B Deluxe/Wifi|Intel Q9550 (2.8) w/ Kingwin 12025| Dominator 4gb + 4gb XMS2 @667|nVidia GTX 260|Seagate 200gb 7200.10|WD 6400AAKS | WD 1tb | Sandisk Extreme 120gb


Top
 Profile  
 
 Post subject: Re: Web security project
PostPosted: Mon Nov 18, 2013 6:31 am 
Offline

Joined: Thu Nov 19, 2009 10:20 am
Posts: 484
Location: Ottawa
Default AWS instances do not auto update themselves outside of normal included OS update mechanisms. They are usually fairly up to date when you launch them, but once running they are up to you to manage. There are more auto managed options such as Elastic Beanstalk, but that just replaces your instances with new up to date ones instead of updating the existing instances.


Top
 Profile  
 
 Post subject: Re: Web security project
PostPosted: Mon Nov 18, 2013 11:53 pm 
Offline

Joined: Mon May 16, 2011 11:23 am
Posts: 681
Location: Germany
As far as i have gathered, Amazon AWS just provides the OS platform, so any additional software/functionality would have to be updated yourself.

For running a preconfigured shop package (i have done a small projekt with a german software called "shoptodate") you usually need php, mysql and some webserver, depending on the actual product chosen.

I guess that there are some packages from the US or other companies, but i havn't had any experience with those.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group