Security Basics mailing list archives
Re: How can I secure my site?
From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 03 May 2010 13:52:55 -0500
Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> writes:
HI. thanks for reply I searched certificate authorities and I found that their certificates are very expensive. for example lowest security level by Verisign is 500$. How can I prepare cheaper certificates? My business is small and I can't refund for such expensive certificates. thanks for any help
Verisign has always been... how can I put this politely... on the low end of the bang-for-the-buck scale. As an alternative, check with godaddy.com for some less expensive SSL offerings. But it also seems your host will sell you a cert for $50/year which is also reasonable. There isn't much difference--for most intents and purposes--between that cert your host is offering and something from Veri$ign. While there are indeed varying levels of verification/trust in a given SSL cert, you can probably count on one hand the number of your customers who are even aware of the difference among them. So long as the cert chain is included with their browser such that your site doesn't generate any warnings to them when they visit, no one essentially cares. But as this is a security list, let me be among the folks to make it crystal clear to you that SSL WILL NOT SECURE YOUR WEB SITE. The original poster who suggested SSL couched it correctly that it can help _improve_ your secure posture, but as most people reading this hopefully know, that SSL (which to most lay users means Super Shiny Locks!) will not secure your website. Web security, unfortunately, is very hard to do. To secure your website, you have to do a ton of things right. Patching religiously is one part of it, and probably the easiest. Configuring components to best practices is another crucial part of it--dont leave default accounts or database engines wide open with default passwords. Writing code that is secure is another crucial part of it (and probably the hardest). Leveraging encryption (transport encryption/certs as well as encryption of sensitive data in the database) is another piece of the puzzle. Monitoring your logs and knowing what's normal and when you're under attack and able to respond to it is another. There's unfortunately lots more to worry about as well. Picking PHP as your language of choice unfortunately is worrisome because if there's one thing anyone who's done app testing knows, there seem to be an awful lot of ways to do PHP insecurely. Given your company's size, newness to the security realm, and modest budget, you'll probably want to leverage third party solutions for payment processing, and probably for hosting, such that you write as little (likely very highly vulnerable) code as possible and devote as few hours in your day as possible to worrying about this stuff. Focus instead on your core business aptitude rather than all the things you'd need to do right to have your own rather secure ecommerce site. If you can't afford $500 for and SSL certificate, then you surely can't afford secure coding training, source code review, external web app penetration testing, IPS, WAF, or any of the other usual components to a best of breed security program for an eCommerce site.
From there, your question would then become one of finding
recommendations for a reputable third party site that has a reasonably secure solution for sale, and has a process by which you issue those license keys to your customers in a controllable, auditable way. You might also consider some thoughts about how hard your client code is to having the licensing scheme subverted, to minimize the number of folks who attempt to use your product without paying. For the benefit of the original poster, is anyone aware of a good application service provider that is set up for software sales or registration key handling like this? -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: How can I secure my site? Ali Asghar Toraby Parizy (May 03)
- Re: How can I secure my site? Raymond (May 03)
- Re: How can I secure my site? Jeff MacDonald (May 03)
- <Possible follow-ups>
- Re: How can I secure my site? Ali Asghar Toraby Parizy (May 03)
- Re: How can I secure my site? Walter Goulet (May 03)
- Re: How can I secure my site? Todd Haverkos (May 03)
- Re: How can I secure my site? Andrew Miller (May 03)
- Re: How can I secure my site? Florian BLANC (May 03)
- Re: How can I secure my site? Raymond (May 03)