Web Business Security

[listener]

If I were to set up a Web business site with payment provisions, what kind of security would I need to protect against potential hacker disruptions of my business, like an online enemy trying to prevent payments being sent to my account, if that's possible?

[SoggyBottom]

1. Install a Hardware Firewall in front of your Webserver. (ie. SmoothWall, IPTables/IPChains, Checkpoint...) Ensure that it is properly configured.

2. Secure and Harden the OS of your Webserver (ie. Windoze, *nix...)

3. Apply latest Security Patches to the type of WebServer you choose to use (ie. IIS, Apache...)

4. You also may want to provide your customers a secure connection (SSL) for their purchases (ie. When credit Card details etc.. are sent).

5. It also might be an idea not to store customer details on the webserver itself. It should all be stored on a back-end server, preferably, with another FW sitting in-between the back-end server and the webserver.

This would then be as "tight as a fishes arse" from a security perspective....

Good luck!!

[englishgirl1]

I did this a few months ago and one of the things I found invaluable was to get in touch with whomever is your countries equivalent of the Association for Payment and Clearing Service (ours is at http://www.apacs.org.uk/ ) to find out the current trends in card no present fraud and also to find out what various online payment services are doing about them.

http://www.ftc.gov/ is also helpful.

Also, it's worth auditing your internal processed (as Soggybottom mentioned) to make sure you are minimising opportunities for errors and internal fraud.

Dumb things people often do without realising it:

(1) Sending credit card details in full as part of the receipt sent to the customer
(2) Storing cc details unencrypted on customer databases (which may or may not be secure
(3) Revealing all fields as a default within a database (so instead of just seeing either financial or personal data, you can see everything).
(4) Holding data for too long.

[SittingDuck]

Ok what has been said so far is true, BUT you have both missed the security porblems of the web application it's self.

You will need to secure the web app by a number of measure. The first is input validation on ALL info that is sent to the server. This also has to be done on the server, and not client side (eg in javascript)

What should be filter should be done in this order.

change ; into \;
change & into &
change > into >
change < into &lt;
change ' into \'
change " into \"

You should also test to see what the data is, if you are expecting an int between 0 - 12, test to see if it is between those values.

This will prevent all possible XSS and SQL injection attack


Second of all, and data that deternimes the state of the user (eg account numnbers, are they login in etc, etc) should never be client side, ie it should be help in an application variable on the server


Well that is a very basic view of what needs to be done, the best place for more info has to be www.owasp.org have a look.

Like I said this only the start, to write how to do it completely would take about a week. So there is more to web application than I have writen down

I hope this helps

SittingDuck

[Juridian]

Basic tutorial - http://www.antionline.com/showthread...hreadid=218034

[Tedob1]

and dont use hidden form values or cookies to pass prices to a checkout. although this has nothing to do with your question i didn't see it mentioned and it would be nice to get the full amount when you do get paid.