web technologies + security concerns

ChicoMendez

hi,

im in the feasibility study period for a big website - it would involve 10's of thousands of users from schools and universities - the unis would have lots of sensitive info (not credit card info) just purchasing stats etc etc

- what are the secuirty concerns i need to address here - and what are the tech solutions ? https authentication, ssl cert


- is php+mysql the best solution considering there would be tables with several million records over time
what are the big sites running ? anyone every come across some articles discussing building websites for large user bases ?

tnx

mneylon

How many concurrent users?

You'll probably need to google articles related to scaling

Stab*City

i have built large multi-lingual sites which get 1000's of hits a day.. my weapons of choice are asp.net, CSS & XML front ends with a sql back end database.. most of these sites are hosted on our own servers.. which is an advantage.. an ssl connection is vital if the information is sensitive.. as for scaling we never have any problems as all of the above are very robust and can handle large amounts of data with ease.. hope this helps.. would you be doing all the work yourself or are you planning to outsource some of it.. reason im asking is it sounds like alot of work for one person..

mneylon

Stab*City wrote: »

as for scaling we never have any problems as all of the above are very robust and can handle large amounts of data with ease..

huh?

Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

If you don't plan to scale you will hit brickwalls and bottlenecks

oeb

As blacknight says scaling is one of the main issues. Any site of that size is likley going to need to run on multiple servers.

With regard to security, there are a number of place a website can be attacked.

Through your code
This is typicially down to security holes you do not close properly (SQL injection, session hijacking, forgetting to check if a person is logged in, not hashing passwords etc) This can be avoided by getting someone who knows what they are doing to write the system, and by following it up with penetration testing. There are companies who specialise in this.

Through your platform
This is down to things such as holes that may be discovered in the technoligys you are using. For example, a bug may appear in your database software, or due to an unpatched security hole in your operating system. This can be rectified by either keeping all your systems up to date with the latest security patches, or by paying someone else to do it. Most hosting providers offer some form of managed hosting that includes security updates. I'm sure if you speak to them directly they will be happy to advise you. Once again there are companies who specialise in auditing and testing this, just make sure you check with your hosting provider before he assumes it's under attack by actual hackers

Through your users
This relates to things like unsafe password management (For example a school official having his name or the name of his school as the password, or an official who keeps his password written on a sticky note attached to his monitor). This also covers attacks at the users side (Trojans, keyloggers etc). TBH, there is not a whole lot that can be done with this. You can force people to use longer passwords with letters+numbers, you can force users to change their passwords on a regular basis and you can also do things like monitor logins (What IP they come from etc) and flagging them for your attention. That fleshy thing in front of the keyboard is often the weakest link in any well written system. About all you can do here is educate and cover yourself in your terms and conditions.

Through the communication
This relates to information that may be 'Sniffed' between your user and your server. This can be done by packet monitoring. There are plenty of ways to help protect you against this. For example SSL is a quick and easy method, and there are several code related methods too (For example Challenge-Response Authentication).


Other precautions can of course be taken (For example encrypting the information in the databases, requiring a second (different) password to access sensitive information etc). It might be worth noticing that alot of things that will increase the security of your application are likely to make your software more hardware dependant.

For example, an LAMP server serving out web pages pulling the info from the database will be able to support more concurrant users than one that also has to pass that database info through mcrypt, or even one that is serving all the pages through SSL!

Hope this was of some help, let me know if you have any questions.

Stab*City

blacknight wrote: »

huh?

Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

If you don't plan to scale you will hit brickwalls and bottlenecks

i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP.. all the technologies i mentioned are v v scalable..

oeb

Stab*City wrote: »

i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP..

These days a LAMP server is more than capable of maniging huge amounts of traffic, and is generally cheaper to run too. I have many sites with thousands and thousands of uniques per day running from LAMP, and I have plenty of high traffic high intensity web applications running on the same.

mneylon

Stab*City wrote: »

i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP.. all the technologies i mentioned are v v scalable..

I'm sorry, but that's absolute rubbish.

Php + MySQL (and other OSS technologies) power some of the biggest sites and services online.

M$ technologies might market themselves as coming with all sorts of extra "bling", but the reality is that the technology itself isn't the key deciding factor. The quality of the code and deployment is.

Now you may feel comfortable using M$ technology and that is fine, but bluntly stating that they will scale and scale better than a LAMP solution is just not realistic

if you want to go down the entire proprietary vs OSS route and had talked about Oracle, then maybe ...

Stab*City

oeb wrote: »

These days a LAMP server is more than capable of maniging huge amounts of traffic, and is generally cheaper to run too. I have many sites with thousands and thousands of uniques per day running from LAMP, and I have plenty of high traffic high intensity web applications running on the same.

Likewise.

Stab*City

blacknight wrote: »

I'm sorry, but that's absolute rubbish.

Php + MySQL (and other OSS technologies) power some of the biggest sites and services online.

as does the tools i mentioned

blacknight wrote: »

M$ technologies might market themselves as coming with all sorts of extra "bling", but the reality is that the technology itself isn't the key deciding factor. The quality of the code and deployment is.

exactly.. the marketing over at MS had very little to do with my selection.. the .net class libraries in my book are far superior to php functions even with addtional libraries tacked on.. plus they are much more organised.. the .net framework was built to handle many forms of code.. the web forms system built into .net has nothing in php to rival it.. then lets not forget ado.net as well for that solid database connection.. but your right its all about the code.. with good code it is half the hassle of php to get a good front end built on.. also .net is much faster.. all .net apps are compiled as oppossed to php witch need to be interperted .. to achieve the same speed using php additional software must be running on the server again adding to running costs..

blacknight wrote: »

Now you may feel comfortable using M$ technology and that is fine, but bluntly stating that they will scale and scale better than a LAMP solution is just not realistic

php is just a scripting language as oppossed to .net which uses object orientated languages which give more control and useability..

dkell

Here's a list of readings on Web Scalability - some interesting stuff...

oeb

Stab*City wrote: »

as does the tools i mentioned



exactly.. the marketing over at MS had very little to do with my selection.. the .net class libraries in my book are far superior to php functions even with addtional libraries tacked on.. plus they are much more organised.. the .net framework was built to handle many forms of code.. the web forms system built into .net has nothing in php to rival it.. then lets not forget ado.net as well for that solid database connection.. but your right its all about the code.. with good code it is half the hassle of php to get a good front end built on.. also .net is much faster.. all .net apps are compiled as oppossed to php witch need to be interperted .. to achieve the same speed using php additional software must be running on the server again adding to running costs..


php is just a scripting language as oppossed to .net which uses object orientated languages which give more control and useability..

Christ man, at least research what you are talking about.

Both systems are compareable speedwise and capeability wise. Development platform is pretty much only dependant on personal prefrence. Both platforms are proven in very very large scale applications, both have minor advantages and disadvantages over each other. The OP did not ask for a language war, he asked for advice on security.

For the record, read up on things like Zend, Cake, Pear, PHP 5 (And the upcoming 5.3).

And here was me always under the impression that the comparable thing to an ASP 'web form' was any PHP page.

And sure, to speed up PHP you might require additional software, this does not change the facts relating to the difference in footprint and software costing to set up the platform in the first place.

Lets just leave it with the fact that all platforms, weather you want to go with Java, ColdFusion, .NET or PHP have been proven in the field. Base your decision based on the skillset of your developers and what they are capably of doing in their language of choice. There is no good or bad platform, there is only good and bad developers.

Stab*City

oeb wrote: »

Christ man, at least research what you are talking about.

Both systems are compareable speedwise and capeability wise. Development platform is pretty much only dependant on personal prefrence. Both platforms are proven in very very large scale applications, both have minor advantages and disadvantages over each other. The OP did not ask for a language war, he asked for advice on security.

For the record, read up on things like Zend, Cake, Pear, PHP 5 (And the upcoming 5.3).

And here was me always under the impression that the comparable thing to an ASP 'web form' was any PHP page.

And sure, to speed up PHP you might require additional software, this does not change the facts relating to the difference in footprint and software costing to set up the platform in the first place.

Lets just leave it with the fact that all platforms, weather you want to go with Java, ColdFusion, .NET or PHP have been proven in the field. Base your decision based on the skillset of your developers and what they are capably of doing in their language of choice. There is no good or bad platform, there is only good and bad developers.

how can a pre compiled application be the same speed as a php app that needs to be interpreted at runtime?? for the record i have read plenty about these php extensions.. and i have researched all of what i have said.. and i have givin reasons as to why i think what i do.. i have gave reasons why i think .net is better.. im not trying to twist anyones arm..

Stab*City

oeb wrote: »

The OP did not ask for a language war, he asked for advice on security.

so why add fuel to the fire.

Stab*City

ChicoMendez wrote: »

is php+mysql the best solution considering there would be tables with several million records over time
what are the big sites running ? anyone every come across some articles discussing building websites for large user bases ? tnx

oeb maybe if u actually read the OP..

Bob the Builder

blacknight wrote: »

huh?

Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

If you don't plan to scale you will hit brickwalls and bottlenecks

*cough* O2 Ireland *cough*

Scaling, Performance/Speed and Downtime are the two biggest things in my unexperienced squeaky opinion.

You want to access the information quickly, without errors, and downtime. You want to be able to expand easily without jeopardizing your existing structure. Customers/Users want to be able to have control, and yet not enough control to mess up the server.

The Backend structures have to be consistent and easy to handle, especially when plugging programming languages in. Also, the bigger the situation on your hands, the more streamlined the database should be.

For example, compare Google, with an ordinary small scale workplace where they collaborate. Google has a reputation for high performance, high control, large infrastructure, simple interface.

Of course, I haven't a clue, but if I was doing it in the morning, that would be some of my primary concerns.

ChicoMendez

thanks lads -

some very interesting discussions above- they have given be a good idea of the area to research

thanks oeb - that was a good post on areas to address

thanks dkell - good bedtime reading there

tnx