SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member willemakit's Avatar
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security for Site

    Sorry, I think I posted this in the wrong section... so this is a repeat from web design posts. Hope you can help me.
    ---------


    Hi All, I have been a member for a while, but rarely post. I love Sitepoint, buy many of their books and manuals.

    I have a Security Question. I am building a large website for a customer, that will be used by Banks and insurance companies in Canada and possible other locations. I have never created a website for This kind of Use. I am worried about addressing the right amount of Security Procedures.

    I would like to use Host Gator, They have data back up a seperate location, but still in Texas, Not accross the country, with servers ready to upload websites in the case of catastrophic event (unlikely, but as we know. some customers want that feature)

    SSL, do you think I can get away with shared, or would I need to have our own SSL Cert ?

    We will be building in strong security, and ofcourse allowing for 8-16 alphanumeric passwords.

    Just wanted to know if anyone here has worked with banks, and if you have any advice on these questions. ANY other advice would also be VERY appreciated as well.

    Thanks,
    Willemakit
    (hopes he does)
    Richard E.

  2. #2
    SitePoint Enthusiast
    Join Date
    Jun 2007
    Posts
    53
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are many aspects to security that you need to be aware of when making a secure website. It seems you are aware of a few of them. You definitely need a dedicated IP address and your own SSL certificate if banks will be accessing it. More important, though, is how securely you write the code. You should get some books on how to write secure code. Attackers can easily hack into the website or into a customers account if the whole site isn't written with security in mind. This involves a lot more than just requiring long passwords. You have to implement access controls, clean user input to avoid SQL injection, etc.

  3. #3
    SitePoint Member
    Join Date
    Jul 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You will probably want to get your own SSL cert for the exact domain you are using. You can use an SSL cert that was assigned to another domain, but you get an ugly warning message in every browser, and some new browsers will by default reject the cert entirely if it's the wrong domain (such as a certificate for .hostgator.com that you are trying to access from yourdomain.com).

    At a bare minimum you should require 8 characters for the password. Additional constraints such as requiring a number or not allowing dictionary words are even better. Anything less than 8 characters is trivial to brute force, and dictionary words can be guessed using dictionary attacks.

    If you are developing an app for a high security environment but don't have a good security background, you should consider hiring an expert to perform an audit on the application and provide recommendations for best security practices. Security holes in applications used in those types of environments would be pretty significant...

  4. #4
    SitePoint Member willemakit's Avatar
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your response, Really appreciate the help on this. I have taken all advice and have an expert in security coding writing for the site, and have decided to use Comodo EV SGC SSL, it seems to be the best value and insures the highest overall security for passwords, and security of notes etc on the site. Not to mention excellent customer support that so far, really impresses me.
    Richard E.

  5. #5
    SitePoint Member
    Join Date
    Jul 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Keep in mind the SSL cert only protects the data in transit - it offers no security for stored data.

  6. #6
    SitePoint Member willemakit's Avatar
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Jeffct, yes, agreed, the customer is on a budget, so this is not going to be self hosted, it will be at Hostgator, so it will have their protection. Also this is not an open site to the general public, it will we operating almost as an Intranet. Only Customers will know the URL. HOWEVER, I am treating it as if it were open to the public, and locking down everything that I can with security, my major concern was dealing with the transit, and what was done in the forms, to make sure it was safe at that level. When it is finished, we will take a month... and try real hard to break it, find any holes we can, I have some white hatters who will take a go at it as well, and see where there may be holes.
    Thanks,
    Richard E.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •