homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Security Audit
Recommendations for auditing a web app
Wittner




msg:4059732
 10:40 am on Jan 13, 2010 (gmt 0)

Hi,

I'm approaching Alpha stage with a web app and since it will hold personally sensitive data (not credit card info) I want to gain the trust of users by having some sort of 'seal of approval' from a reputable agency. The data will of course be encrypted and I will have used best-practice in terms of the coding, but I would like to have that independently verified.

What companies would anyone here recommend for an audit such as this? PWC and KPMG would be an option but I'm not sure what sort of figures we're talking about for an audit - any ideas anyone? Also, would an 'off the shelf' option such as MacAfee be of any real security benefit?

Among potential customers will be banks so I imagine we're talking about something which would please that level of client,

Any thoughts or suggestions welcome,

thanks,

Wittner

 

lammert




msg:4060272
 11:39 pm on Jan 13, 2010 (gmt 0)

The data will of course be encrypted

How would you do this without having the key on the server? A breach of the server will not only give the encrypted data but also the key. Encryption of data on a web-server gives no extra layer of security, unless it is asymmetric encryption where you need a second key for the decryption phase and where that key is not stored on the web-server. But that is only useful if you don't need to use the data on the web-server and in that case there is no need to safe the data at all.

Wittner




msg:4060528
 10:15 am on Jan 14, 2010 (gmt 0)

Thanks Lammert. I'm aware of that. What I really want is not to get into a discussion on security per se - really, I want to know if anyone has recommendations for a security audit as in my post,

thanks,

Wittner

lammert




msg:4060583
 12:47 pm on Jan 14, 2010 (gmt 0)

You could see my comment as an example what an security auditor might look for. In the end is not the seal which counts but the real security of the data on your machine.

The best way to go forward is to read the PCI Compliance Guide and see which compliance level your application should meet. This depends on the type of application and the type of data which is accepted and stored in the application.

The next step is to implement all the requirements of that level.

The third step is to ask one of the Approved PCI Compliance Vendors who will test your configuration. There is a list available on Internet of these approved test bodies which can be easily found with a search engine.

Wittner




msg:4060610
 1:50 pm on Jan 14, 2010 (gmt 0)

Thanks Lammert,

PCI compliance guidelines are something I'm using but I just didn't want the thread to turn into a load of people telling me how to look after my security and miss the main point. I hope it is understood that no bad feeling was intended. Thanks for the heads-up about the possiblity of a PCI vendor test - I didn't think about that and I'll certainly check it out,

cheers,

Wittner

Wittner




msg:4060612
 1:51 pm on Jan 14, 2010 (gmt 0)

btw, are those tests usually automatic, as in, without manual human intervention?

lammert




msg:4060621
 2:18 pm on Jan 14, 2010 (gmt 0)

Most PCI tests are a combination of a questionnaire which you have to complete, with a periodical automatic scan of your server/application for vulnerabilities from the outside world. On-site assessments are most of the time only for high volume payment processors.

Wittner




msg:4060715
 4:08 pm on Jan 14, 2010 (gmt 0)

PCI is also very Credit Card oriented. My system won't be storing CC data so I'm not sure how relevant a PCI audit will be,

cheers,

Wittner

lammert




msg:4060734
 4:23 pm on Jan 14, 2010 (gmt 0)

Your potential customers are banks and PCI compliance is something they know. Maybe it won't fit your application entirely, but it fits in their world.

Wittner




msg:4060765
 4:46 pm on Jan 14, 2010 (gmt 0)

Yep. I hear that.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved