Re: How can I secure my site?

[Todd Haverkos <infosec () haverkos com>]

Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> writes:

> HI. thanks for reply
> I searched certificate authorities and I found that their certificates
> are very expensive. for example lowest security level by Verisign is
> 500$. How can I prepare cheaper certificates? My business is small and
> I can't refund for such expensive certificates.
> thanks for any help

Verisign has always been... how can I put this politely... on the low
end of the bang-for-the-buck scale.  As an alternative, check with
godaddy.com for some less expensive SSL offerings.  But it also seems
your host will sell you a cert for $50/year which is also reasonable.
There isn't much difference--for most intents and purposes--between
that cert your host is offering and something from Veri$ign.  While
there are indeed varying levels of verification/trust in a given SSL
cert, you can probably count on one hand the number of your customers
who are even aware of the difference among them.  So long as the cert
chain is included with their browser such that your site doesn't
generate any warnings to them when they visit, no one essentially
cares.  

But as this is a security list, let me be among the folks to make it
crystal clear to you that SSL WILL NOT SECURE YOUR WEB SITE.  The
original poster who suggested SSL couched it correctly that it can
help _improve_ your secure posture, but as most people reading this
hopefully know, that SSL (which to most lay users means Super Shiny
Locks!) will not secure your website.

Web security, unfortunately, is very hard to do. 

To secure your website, you have to do a ton of things right.
Patching religiously is one part of it, and probably the easiest.
Configuring components to best practices is another crucial part of
it--dont leave default accounts or database engines wide open with
default passwords.  Writing code that is secure is another crucial
part of it (and probably the hardest).  Leveraging encryption
(transport encryption/certs as well as encryption of sensitive data in
the database) is another piece of the puzzle.  Monitoring your logs
and knowing what's normal and when you're under attack and able to
respond to it is another.  There's unfortunately lots more to worry
about as well.  Picking PHP as your language of choice unfortunately
is worrisome because if there's one thing anyone who's done app
testing knows, there seem to be an awful lot of ways to do PHP
insecurely.

Given your company's size, newness to the security realm, and modest
budget, you'll probably want to leverage third party solutions for
payment processing, and probably for hosting, such that you write as
little (likely very highly vulnerable) code as possible and devote as
few hours in your day as possible to worrying about this stuff.  Focus
instead on your core business aptitude rather than all the things
you'd need to do right to have your own rather secure ecommerce site.
If you can't afford $500 for and SSL certificate, then you surely
can't afford secure coding training, source code review, external web
app penetration testing, IPS, WAF, or any of the other usual
components to a best of breed security program for an eCommerce site.

> From there, your question would then become one of finding
recommendations for a reputable third party site that has a reasonably
secure solution for sale, and has a process by which you issue those
license keys to your customers in a controllable, auditable way.  You
might also consider some thoughts about how hard your client code is
to having the licensing scheme subverted, to minimize the number of
folks who attempt to use your product without paying.

For the benefit of the original poster, is anyone aware of a good
application service provider that is set up for software sales or
registration key handling like this?

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------