telmiger
Posts: 61
|
| Posted: 07/07/2008, 6:15 AM |
|
I created an application for my company and I am hosting it on a yahoo server. PHP/MYSQL
I was asked to give a risk assessment on how secure the data is going to be. I use the CCS login functions and protect all pages with the session ID's.
I am not a hacker and not sure how secure sessions really are.
Does anybody have any input or knows of resources I could use for making a risk assessment?
Are there any programs that I could use to test the security and indicate any vulnerabilities?
Tony
|
 |
 |
ckroon
Posts: 869
|
| Posted: 07/07/2008, 10:16 PM |
|
This is a great question.. I would love to hear what a pro has to say about this.
This thread on another forum was pretty insightful...
http://www.velocityreviews.com/forums/t90777-how-secure...-variables.html
Personally I don't go anywhere without a SSL certificate on the site.
That, along with restricted pages and some code that boots people off who play with the url.. is about as secure as I need to be.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
Oper
Posts: 1195
|
| Posted: 07/08/2008, 5:54 AM |
|
Session variable are very secure
for the build in security in CCS just 6 Adviced
1) Use Encrypted password on the Database
2) do not ever use hidden field for sensitivity data
3) use limit fault try for login (or catchat) to avoid Hammering
4) if you going to used SSN or CreditCARD use SSL
5) Important if you not using IIS7 or nothing that protect queryString
control your URL variable at least with a limit size to avoid Injection.
6) and las,t try to control what passowrd the user choose
Numbers, letter,symbol, lenght
_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)
http://www.PremiumWebTemplate.com
Affiliation Web Site Templates
Please do backup first |
|
|
|
datadoit
|
| Posted: 07/09/2008, 8:18 AM |
|
I'd personally avoid using shared hosting services for sensitive data.
It would fail security requirements by most ISO standards.
Look at dedicated hosting plans, or leased rack space.
|
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/09/2008, 3:19 PM |
|
Quote datadoit:
I'd personally avoid using shared hosting services for sensitive data.
It would fail security requirements by most ISO standards.
Look at dedicated hosting plans, or leased rack space.
can you elaborate on that? I readily agree that having your own server under your own roof could potentially be more secure (IF you implemented all of the security processes that most professional hosting companies do) but I'm not clear as to why shared hosting would be significantly less secure than dedicated when both are in the same physical location.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
datadoit
|
| Posted: 07/09/2008, 4:15 PM |
|
Shared as in your stuff on the same physical piece of hardware as a
hundred other customers.
Dedicated as in your own leased server.
|
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/09/2008, 11:07 PM |
|
I understand the difference between shared and dedicated! 
I was curious whether you could make the case as to why security is improved with dedicated vs. shared. In either scenario, the employees of the hosting company have complete access to all the files on all the servers. So that is not a factor.
And, as a shared account user, having access to one account on a shared server does not give me any access to the other accounts.
If a hacker gained access to one account on a shared server he would not automatically have any access to the other accounts there either. And if I had such advanced hacking skills to be able to jump the barriers between accounts on a shared server, chances are I have the skills to compromise all of the dedicated servers in that facility as well!
If I'm missing something please enlighten me! Many of our customers use shared accounts and many use dedicated but usually the only reason they choose dedicated is to improve performance. If shared hosting compromises security in any way I'd really like to understand more about this.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
datadoit
|
| Posted: 07/10/2008, 6:59 AM |
|
Go and Google your own debate on shared versus dedicated hosting
security. :)
My point is that shared hosting tosses red flags in ISO compliance
standards. Even in SAS and HIPAA standards.
|
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/10/2008, 11:34 AM |
|
Quote datadoit:
Go and Google your own debate on shared versus dedicated hosting
security. :)
My point is that shared hosting tosses red flags in ISO compliance
standards. Even in SAS and HIPAA standards.
No debate...I just asked you to back up your claim!
I've already done plenty of investigation in the past and concluded there is no significant security improvement with dedicated vs. shared when both are located in the same facility. But when someone makes a claim like you did I am open to hearing their case (if they have one!)
_________________
Walter Kempees...you are dearly missed. |
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/10/2008, 5:24 PM |
|
datadoit, I respect your opinion and I don't mean to belabor the point but I sent the following question to one of the major US hosting companies we currently use for both dedicated and shared hosting and below is their response,
Q- Is dedicated hosting more secure than shared hosting? If so, what makes this so?
A- Dedicated hosting is not any more secure than shared hosting.
I also went to the ISO site and could not find a published standard that claims dedicated hosting is more secure than shared hosting (doesn't mean there isn't one...just that I could not find one!)
And one personal observation about ISO certification. In a previous life I worked for Motorola and went through the ISO certification process several times for a variety of telecom products (way before the web!) The one take-away I recall from all that is ISO will certify that you follow a documented procedure and not necessarily that your procedure is the best or even a good one! I remember the ISO inspector joking about the fact that it is possible to have poor quality with a well-documented procedure and get ISO certified. It may be different nowadays as that has been almost 20 years ago.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
Stanj
Posts: 166
|
| Posted: 07/10/2008, 6:18 PM |
|
Dedicted or VPS can be locked down to prevent running scripts and modules that are not required in your application. A shared host has to be far more open to run the variety of scripts that any user might want to run. Sharing a database server is a risk, there are too many ways to access dbs other than your own. The host that claims that their dedicated boxes are not any more secure than their shared accounts is one to avoid. You control your level of security on a Dedicated box, it CAN be less secure, but you have the option to make if solid, an option you have no control over in a shared environment.
The most secure shared hosts are those which have no db access or scripting interperters installed but that would be an impractical product in today's db driven web site world.
One well known host which I tried out allowed me to move up the directory tree on ftp to see everyone's files. My trial account was cancelled immediately. I have a pretty optimized VPS for all my db driven sites and scripts and a reseller account on a shared host for static HTML sites. Not only did the critical web applications become more secure after moving those to the VPS but also gained a tremendous improvement in performance. Reports that were timing out at 60seconds on the shared box were suddenly blazingly fast after moving the web apps to the VPS.
If a script and db are vital to your business, there is no excuse for being on a shared host in terms of security options(an unoptimized dedicated box can be just as unsecure as a shared host, the difference it having the option to lock it down correctly) and performance. With the prices of VPS's now in the price range($20) of low cost shared accounts there really is no excuse for having a business site on a shared box.
_________________
Stan
St Petersburg Russia |
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/11/2008, 3:05 AM |
|
I agree completely regarding the performance improvement.
And I see your point about locking down the box...the more restricted the box the more secure it is. In fact, disconnecting it from the internet (and AC) entirely would be most secure!  But of course then it would be useless. So we are looking for an acceptable compromise between totally secure/unusable and unsecure/accessible.
For my purposes, a shared account on a high-quality host who implements tight security is secure enough. Like life, it is all about risk vs gain!
_________________
Walter Kempees...you are dearly missed. |
|
|
|
