Page 1 of 1

Web security project

Posted: Sun Nov 17, 2013 5:28 pm
by xev
Hi everyone.
I have a tough project and would greatly appreciate any advice or input. I do not expect any work to be done for me, just would like some links or tips.

I am setting up a hypothetical online wine store and need to provide the following information.
Purchase of domain
Server purchase and set up
DBMS (setup, maintenance, access and security)
Web security testing (process, policy and tools to be used)
Web services used (include those available to mobile users)

This is a web security class so the main focus is on how to make the website as secure as possible. The domain is easy enough. However I am having some trouble finding information how the DBMS, web security, web services parts.
If anyone has any experience that they could offer me including Tools, standards, protocols, etc., that’d be amazing.
Thanks

Re: Web security project

Posted: Sun Nov 17, 2013 7:52 pm
by washu
Without a lot more detail on your code/language/db/versions etc I can only give some generalized advice. You have two areas here that both need to be secure: infrastructure and code. I am a sysadmin who runs some fairly big websites so I can only comment on the infrastructure part. I do know quite a bit of the code side, but that is not my area of expertise.

- Follow the principle of least privilege. Only give as much access as needed, never more. Your website does not run as root/admin or have access to anything on the server it does not need. The DB login is not root/sa, give it the specific permissions to only the tables it needs. This is one of the biggest problems I see, many admins giving root/admin because it is "easy".

- Make sure you have good strong passwords on everything. Use SSH public keys if applicable.

- Have a good firewall setup, ideally separate from the server. The only thing that should be accessible to the public are the web ports. Admin ports (SSH, RDP) should be restricted to only required IPs. The DB port should NEVER be open on the public internet. Ideally the DB should be on a separate server that is only on a private network, but in small setups that is not always practical. Other services like caching, logging etc should be private as well.

- Make sure everything is up to date with security patches and keep things up to date. This is not always the same thing as running the latest version.

- I know this is just a project, but ideally you should have a test server where you can make changes and test their impacts before being put into production. Always have a backout plan for any changes. Test the plan.

- Since you are working with payments look up and follow PCI (payment card industry) standards. Not fun.

- Look up security scanners/penetration testers. Use them. Which one is best depends on what exactly your site is doing and how it is built.

- Look up the best practices for security in the language you are using for your site.

- Only bite off as much as you can chew. If you are a developer and not a sysadmin get one to help you or use a managed service which does much of the work for you. I don't expect the developers where I work to manage secure infrastructure and they don't expect me to write secure code.

Re: Web security project

Posted: Sun Nov 17, 2013 8:53 pm
by Pappnaas
I'd point you at some shop software packages, because why doing it all from scratch if a few dollars yield a fully funktional system including basic security considerations.

Re: Web security project

Posted: Sun Nov 17, 2013 11:16 pm
by xev
Thank you Washu. It's just a report and presentation. I don't know what code/language would be best. I don't have prior experience and this class didn't really cover the differences other than that some are used in some tools. Thank you for the advice so far, it's been useful in my initial draft.

Pappnaas, that'd be great. I already "chose" to use Amazon's AWS service for servers since are supposed to do the patches and updates themselves.

Re: Web security project

Posted: Mon Nov 18, 2013 6:31 am
by washu
Default AWS instances do not auto update themselves outside of normal included OS update mechanisms. They are usually fairly up to date when you launch them, but once running they are up to you to manage. There are more auto managed options such as Elastic Beanstalk, but that just replaces your instances with new up to date ones instead of updating the existing instances.

Re: Web security project

Posted: Mon Nov 18, 2013 11:53 pm
by Pappnaas
As far as i have gathered, Amazon AWS just provides the OS platform, so any additional software/functionality would have to be updated yourself.

For running a preconfigured shop package (i have done a small projekt with a german software called "shoptodate") you usually need php, mysql and some webserver, depending on the actual product chosen.

I guess that there are some packages from the US or other companies, but i havn't had any experience with those.