Web security project

Our "pub" where you can post about things completely Off Topic or about non-silent PC issues.

Moderators: NeilBlanchard, Ralf Hutter, sthayashi, Lawrence Lee

Post Reply
xev
Posts: 217
Joined: Tue Jan 22, 2008 9:47 pm
Location: New York

Web security project

Post by xev » Sun Nov 17, 2013 5:28 pm

Hi everyone.
I have a tough project and would greatly appreciate any advice or input. I do not expect any work to be done for me, just would like some links or tips.

I am setting up a hypothetical online wine store and need to provide the following information.
Purchase of domain
Server purchase and set up
DBMS (setup, maintenance, access and security)
Web security testing (process, policy and tools to be used)
Web services used (include those available to mobile users)

This is a web security class so the main focus is on how to make the website as secure as possible. The domain is easy enough. However I am having some trouble finding information how the DBMS, web security, web services parts.
If anyone has any experience that they could offer me including Tools, standards, protocols, etc., that’d be amazing.
Thanks

washu
Posts: 571
Joined: Thu Nov 19, 2009 10:20 am
Location: Ottawa

Re: Web security project

Post by washu » Sun Nov 17, 2013 7:52 pm

Without a lot more detail on your code/language/db/versions etc I can only give some generalized advice. You have two areas here that both need to be secure: infrastructure and code. I am a sysadmin who runs some fairly big websites so I can only comment on the infrastructure part. I do know quite a bit of the code side, but that is not my area of expertise.

- Follow the principle of least privilege. Only give as much access as needed, never more. Your website does not run as root/admin or have access to anything on the server it does not need. The DB login is not root/sa, give it the specific permissions to only the tables it needs. This is one of the biggest problems I see, many admins giving root/admin because it is "easy".

- Make sure you have good strong passwords on everything. Use SSH public keys if applicable.

- Have a good firewall setup, ideally separate from the server. The only thing that should be accessible to the public are the web ports. Admin ports (SSH, RDP) should be restricted to only required IPs. The DB port should NEVER be open on the public internet. Ideally the DB should be on a separate server that is only on a private network, but in small setups that is not always practical. Other services like caching, logging etc should be private as well.

- Make sure everything is up to date with security patches and keep things up to date. This is not always the same thing as running the latest version.

- I know this is just a project, but ideally you should have a test server where you can make changes and test their impacts before being put into production. Always have a backout plan for any changes. Test the plan.

- Since you are working with payments look up and follow PCI (payment card industry) standards. Not fun.

- Look up security scanners/penetration testers. Use them. Which one is best depends on what exactly your site is doing and how it is built.

- Look up the best practices for security in the language you are using for your site.

- Only bite off as much as you can chew. If you are a developer and not a sysadmin get one to help you or use a managed service which does much of the work for you. I don't expect the developers where I work to manage secure infrastructure and they don't expect me to write secure code.

Pappnaas
Posts: 726
Joined: Mon May 16, 2011 11:23 am
Location: Germany

Re: Web security project

Post by Pappnaas » Sun Nov 17, 2013 8:53 pm

I'd point you at some shop software packages, because why doing it all from scratch if a few dollars yield a fully funktional system including basic security considerations.

xev
Posts: 217
Joined: Tue Jan 22, 2008 9:47 pm
Location: New York

Re: Web security project

Post by xev » Sun Nov 17, 2013 11:16 pm

Thank you Washu. It's just a report and presentation. I don't know what code/language would be best. I don't have prior experience and this class didn't really cover the differences other than that some are used in some tools. Thank you for the advice so far, it's been useful in my initial draft.

Pappnaas, that'd be great. I already "chose" to use Amazon's AWS service for servers since are supposed to do the patches and updates themselves.

washu
Posts: 571
Joined: Thu Nov 19, 2009 10:20 am
Location: Ottawa

Re: Web security project

Post by washu » Mon Nov 18, 2013 6:31 am

Default AWS instances do not auto update themselves outside of normal included OS update mechanisms. They are usually fairly up to date when you launch them, but once running they are up to you to manage. There are more auto managed options such as Elastic Beanstalk, but that just replaces your instances with new up to date ones instead of updating the existing instances.

Pappnaas
Posts: 726
Joined: Mon May 16, 2011 11:23 am
Location: Germany

Re: Web security project

Post by Pappnaas » Mon Nov 18, 2013 11:53 pm

As far as i have gathered, Amazon AWS just provides the OS platform, so any additional software/functionality would have to be updated yourself.

For running a preconfigured shop package (i have done a small projekt with a german software called "shoptodate") you usually need php, mysql and some webserver, depending on the actual product chosen.

I guess that there are some packages from the US or other companies, but i havn't had any experience with those.

Post Reply