Website security?

acorkonian

Hi Guys,

Hoping to get some help on the topic of Website security.

My mother recently had a website developed for a buisness. The website should have a large number of users signing up with lots of personal informaion.

My question is what should she consider or in fact do about making sure this information is as secure as possible? i.e not getting stolen, such as we seen with the fine gael website recently.

The website is hosted by an irish web hosting company, but my concern comes in the form of bad programming techniques used by the guy who made the site, XSS and SQL injection and these types of things.

Anybody have any advice on this kind of thing?

Thanks

Jayuu

There are plenty of security companies out there who could test your system for you. However it might be costly and they would most likely have to do in with the permission of your host company (as they would in effect be trying to hack through their firewalls).

I think there are also some automatic tools that can scan sites and report on weaknesses but I have no direct experience with that so I can't comment on how much or little they can pick up.

croo

My question is what should she consider or in fact do about making sure this information is as secure as possible?

If you hold personal data you must ensure you comply with the Data Protection Act.
www.dataprotection.ie provides some information on your obligations - but they don't tell you how to achieve that required protection.

The do point out

A minimum standard of security would include the following:

*
access to central IT servers to be restricted in a secure location to a limited number of staff with appropriate procedures for the accompaniment of any non-authorised staff or contractors;
*
access to any personal data within an organisation to be restricted to authorised staff on a ‘need-to-know’ basis in accordance with a defined policy;
*
access to computer systems should be password protected with other factors of authentication as appropriate to the sensitivity of the information;
*
information on computer screens and manual files to be kept hidden from callers to your offices;
*
back-up procedure in operation for computer held data, including off-site back-up;
*
all reasonable measures to be taken to ensure that staff are made aware of the organisation’s security measures, and comply with them;
*
all waste papers, printouts, etc. to be disposed of carefully;
*
a designated person should be responsible for security and for periodic reviews of the measures and practices in place.

I know in the world of Open Source Fortify provide free security analysis https://opensource.fortify.com/teamserver/welcome.fhtml - though for closed source I image it is very expensive.

acorkonian

Thanks for the reply,

I didnt think of that actually, security companies who specialise in this type of thing. Definetly maybe something worth looking into. Thanks!

acorkonian

Thanks for the info croo,

I was thinking this alright that data protection agency wouldnt be able to tell you exactly what needs to be done on the technical side of things, just some high level stuff you need to have in place.

The most concern here is more on the website side as opposed to the server side. As I stated the web hosting company should have their servers secure as possible, I'm worried about the coding side. I think the website was developed using HTML and PHP, so I may look into having someone else take a look at the code for vunerabilites, security holes etc.

Thanks

amen

Post the url and we could have a look and see if there is anything obvious.

Of course you site should really be running https which will encrypt the data between the browser and server.

"As I stated the web hosting company should have their servers secure as possible". I would never assume that. I always assume that someone in the hosting company can access the server so sensitive data should be be encrypted in the database.

If you have off site backups make sure they are secure and encrypted as well.

WeWatch

I typically suggest that people develop websites using some standard website software such as Joomla or Wordpress for most sites. For any e-commerce type site I would recommend something like osCommerce or Zen Cart.

My reasoning is this. They have a large community of people contributing time and resources to check for security holes and a large resource of people to patch them as well.

That way, the basic security step is to keep your software current and you're safer than many sites that were developed custom.

That's just my opinion.

lyrad

Hi All,
Can anybody recommend any good security audit companies?
Thanks.