|
|
Posted by Peter Fox on 11/03/05 17:42
Following on from 's message. . .
>rjames.clarke@gmail.com wrote:
>> I am developing an online application and the last thing I need to get
>> a handle on is security.
>
>Not that I'm an expert, but you have this backwards. Security should be
>the FIRST, not last, thing you thing about.
>
OK so "If I was you I wouldn't start from here!" is the correct answer
but not all that helpful.
Get the following security issues clear
- Threat
- Protection
- Detection
- Damage limitation
for all the system components
- Physical environment
- OS
- Apache(etc)
- PHP
- SQL - general
- mySql - particular
- other tools
Nobody (except perhaps GLB) knows all the answers. Each component has
spawned many books, articles, much mis-information and confusion.
As far as PHP and mySql are concerned you are looking at the right sort
of thing but need to review how a click on a submit gets to a database
update in the light of common attack modes for SQL and all the possible
ways you can think of of subverting your program logic (Obviously
userid=44 is an open invitation to try userid=45) When you've done it
get somebody else to review it. Your list of items is step 1 out of 5.
You can keep your data on the same machine as the scripts. You need to
understand your OS and Apache security configuration. For many
situations this is simple enough.
Beware when sharing a host.
As I understand it, the really really difficult bit is keeping the
access password to the database secure. There are some articles on the
web about that issue and when you understand those you should have
covered a lot of muddy ground.
--
PETER FOX Not the same since the borehole business dried up
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Navigation:
[Reply to this message]
|