Web Business Security
Results 1 to 6 of 6

Thread: Web Business Security

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    47

    Question Web Business Security

    If I were to set up a Web business site with payment provisions, what kind of security would I need to protect against potential hacker disruptions of my business, like an online enemy trying to prevent payments being sent to my account, if that's possible?

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    1. Install a Hardware Firewall in front of your Webserver. (ie. SmoothWall, IPTables/IPChains, Checkpoint...) Ensure that it is properly configured.

    2. Secure and Harden the OS of your Webserver (ie. Windoze, *nix...)

    3. Apply latest Security Patches to the type of WebServer you choose to use (ie. IIS, Apache...)

    4. You also may want to provide your customers a secure connection (SSL) for their purchases (ie. When credit Card details etc.. are sent).

    5. It also might be an idea not to store customer details on the webserver itself. It should all be stored on a back-end server, preferably, with another FW sitting in-between the back-end server and the webserver.

    This would then be as "tight as a fishes arse" from a security perspective....

    Good luck!!
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    103

    Setting up online payments

    I did this a few months ago and one of the things I found invaluable was to get in touch with whomever is your countries equivalent of the Association for Payment and Clearing Service (ours is at http://www.apacs.org.uk/ ) to find out the current trends in card no present fraud and also to find out what various online payment services are doing about them.

    http://www.ftc.gov/ is also helpful.

    Also, it's worth auditing your internal processed (as Soggybottom mentioned) to make sure you are minimising opportunities for errors and internal fraud.

    Dumb things people often do without realising it:

    (1) Sending credit card details in full as part of the receipt sent to the customer
    (2) Storing cc details unencrypted on customer databases (which may or may not be secure
    (3) Revealing all fields as a default within a database (so instead of just seeing either financial or personal data, you can see everything).
    (4) Holding data for too long.
    668 - the neighbor of the beast

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    Ok what has been said so far is true, BUT you have both missed the security porblems of the web application it's self.

    You will need to secure the web app by a number of measure. The first is input validation on ALL info that is sent to the server. This also has to be done on the server, and not client side (eg in javascript)

    What should be filter should be done in this order.

    change ; into \;
    change & into &
    change > into >
    change < into &lt;
    change ' into \'
    change " into \"

    You should also test to see what the data is, if you are expecting an int between 0 - 12, test to see if it is between those values.

    This will prevent all possible XSS and SQL injection attack


    Second of all, and data that deternimes the state of the user (eg account numnbers, are they login in etc, etc) should never be client side, ie it should be help in an application variable on the server


    Well that is a very basic view of what needs to be done, the best place for more info has to be www.owasp.org have a look.

    Like I said this only the start, to write how to do it completely would take about a week. So there is more to web application than I have writen down

    I hope this helps

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    and dont use hidden form values or cookies to pass prices to a checkout. although this has nothing to do with your question i didn't see it mentioned and it would be nice to get the full amount when you do get paid.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •