February 17th, 2003, 01:22 AM
Web Business Security
If I were to set up a Web business site with payment provisions, what kind of security would I need to protect against potential hacker disruptions of my business, like an online enemy trying to prevent payments being sent to my account, if that's possible?
February 17th, 2003, 01:45 AM
1. Install a Hardware Firewall in front of your Webserver. (ie. SmoothWall, IPTables/IPChains, Checkpoint...) Ensure that it is properly configured.
2. Secure and Harden the OS of your Webserver (ie. Windoze, *nix...)
3. Apply latest Security Patches to the type of WebServer you choose to use (ie. IIS, Apache...)
4. You also may want to provide your customers a secure connection (SSL) for their purchases (ie. When credit Card details etc.. are sent).
5. It also might be an idea not to store customer details on the webserver itself. It should all be stored on a back-end server, preferably, with another FW sitting in-between the back-end server and the webserver.
This would then be as "tight as a fishes arse" from a security perspective....
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
February 17th, 2003, 10:12 AM
Setting up online payments
I did this a few months ago and one of the things I found invaluable was to get in touch with whomever is your countries equivalent of the Association for Payment and Clearing Service (ours is at http://www.apacs.org.uk/ ) to find out the current trends in card no present fraud and also to find out what various online payment services are doing about them.
http://www.ftc.gov/ is also helpful.
Also, it's worth auditing your internal processed (as Soggybottom mentioned) to make sure you are minimising opportunities for errors and internal fraud.
Dumb things people often do without realising it:
(1) Sending credit card details in full as part of the receipt sent to the customer
(2) Storing cc details unencrypted on customer databases (which may or may not be secure
(3) Revealing all fields as a default within a database (so instead of just seeing either financial or personal data, you can see everything).
(4) Holding data for too long.
668 - the neighbor of the beast
February 17th, 2003, 10:54 AM
Ok what has been said so far is true, BUT you have both missed the security porblems of the web application it's self.
What should be filter should be done in this order.
change ; into \;
change & into &
change > into >
change < into <
change ' into \'
change " into \"
You should also test to see what the data is, if you are expecting an int between 0 - 12, test to see if it is between those values.
This will prevent all possible XSS and SQL injection attack
Second of all, and data that deternimes the state of the user (eg account numnbers, are they login in etc, etc) should never be client side, ie it should be help in an application variable on the server
Well that is a very basic view of what needs to be done, the best place for more info has to be www.owasp.org have a look.
Like I said this only the start, to write how to do it completely would take about a week. So there is more to web application than I have writen down
I hope this helps
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
February 17th, 2003, 03:26 PM
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
February 17th, 2003, 04:01 PM
and dont use hidden form values or cookies to pass prices to a checkout. although this has nothing to do with your question i didn't see it mentioned and it would be nice to get the full amount when you do get paid.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”