10

I came across this question

I like to offer my startup also for security advice.

Objective: building a SaaS web application that allows businesses to quickly open up online stores akin to Yahoo! Stores.

Programming: Done mostly by me. Sometimes I hire freelancers to help me with stuff I do not know.

I use CakePHP framework for my web application.

Hosting: Using Amazon EC2 and other Amazon Web Services like Elastic Load Balancing.

Systems Administration: I am running Ubuntu server 10.04

I know this is still a high level question. Let me break this up into several subareas.

Programming, collaboration with freelancers

I am using git and a remote git repo on ProjectLocker. I am not an expert in git. All I know is git add, git commit -a, git push, git merge, git checkout , git pull.

When freelancers do work for me, I always tell them to commit their work in a separate branch and I will do a merge myself into the main branch.

Not sure if there is any security loophole there. Please let me know.

Programming, the code itself

Well, you guys cannot see the code, but I am using CakePHP framework.

I think I did everything correctly except that I had to disable the CSRF protection at times to allow certain flash plugins to work.

Not too sure what I should do about it.

Not sure if there is any security loophole there. Please let me know.

Deployment

I use capistrano to do the deployment for me. Basically I think the capistrano ssh'd into the server and from there gives it an instruction to do a git fetch from the remote repository.

I basically copied and pasted the capistrano deploy script from somewhere and modified it.

Not sure if there is any security loophole there. Please let me know.

Web Application for users

Just bought and installed SSL certs. I had to use a wildcard certificate for my users individual subdomains and a standard SSL cert for the signup page.

Did not buy an extended validation SSL cert. Didn't think I need it.

Not sure if there is any security loophole there. Please let me know.

Systems admin, collaboration, hosting:

I do not have a protocol on how to update my server with security updates since I am not LIVE yet.

I would appreciate something simple that a Ubuntu novice can use.

Amazon Web Services, Systems admin, collaboration:

I hired a sys admin freelancer to help me install SSL certs because a) I am not familiar with Linux, b) I am not familiar with Amazon Web Services

If in future, I hired someone to help me troubleshoot either Ubuntu or my Amazon Web Services, how do I do it without putting my SaaS at risk?

I saw this for Amazon Web Services

Not sure how to use it.

Can someone give me a good protocol to allow hired freelancers to solve my system admin issues in a safe manner?

Other areas I have NOT thought of

Please let me know.

Kim Stacks
  • 905
  • 9
  • 21
  • These might be better as separate questions. – D.W. Mar 06 '11 at 01:07
  • What other info are you looking for to fully answer the question? I see you added a bounty, but not sure what I can do to improve my answer without writing a book :) – mrnap Mar 07 '11 at 15:57
  • @mrnap you are right. Perhaps I should narrow down to deployment and sys admin tasks since these 2 areas are areas I am least familiar with. I think i made a mistake to post such a general question. any suggestions on how i should clean up this mess I have started while benefiting future readers? – Kim Stacks Mar 08 '11 at 02:35
  • I think this question has as good of answer as you will get. I would suggest choosing one and accepting, and if you have further questions open a new question/questions with more specific focus. – mrnap Mar 10 '11 at 05:50

4 Answers4

8

Alright, this answer is by no means exhaustive as this is a large question, but just off the top of my head here are some thoughts:

GIT:
That's good that you're doing the merges yourself, does that mean you're going to handle all the diffs? If you're not going to, the trust of the coder could be a POF, but if you are going to depending on the amount of merges expect to spend a lot of time doing all the diffs yourself.

Programming/Framework:
Might want to be careful disabling CSRF, whenever you do that and have flash there can be some nasty exploits. Best bet to prevent those is to make sure you have really solid session handling, and verify verify verify any time a user is accessing a resource. You can find some more info on common CSRF stuff here: CSRF FAQs. Also, watch out for this vulnerability. I don't have a ton of familiarity with CakePHP, but best rec is to make sure to sanitize, whitelist if possible, use ACLs, etc. Here is a very basic way to add a bit of additional security to your CakePHP instance.

Server Security:
I don't have a ton of experience with Capistrano, but from what I've heard it's a pretty solid tool, as long as you've grabbed a reliable fork. I would be more cognizant of vulnerabilities in the SSH handling itself, as it seems to me that is where capistrano could most likely be exploited. As for web server security, I think Amazon is one of the best choices out there.

SSL:
I would be very wary of a wildcard cert. If one of your subdomains is compromised, so will your entire network. All it takes is one certificate authority having a vulnerability and all of your customers and their data will be compromised. Since you're doing e-commerce, it's really important to have the highest levels of security for customer data.

Summary:
All in all, I would really recommend hiring a web app security professional who is credible in the field and has experience to take a look at your application. Since you will be dealing with financial data, which is one of the most sensitive types, a solid exhaustive look at your software is very important. I know it's hard when you're just starting out, but if you don't take the time to secure your app thoroughly one exploit could bring down your entire business.

Hope that helps :)

mrnap
  • 1,308
  • 9
  • 15
  • 1
    Your summary reminded me of this blog entry by Chris Wysopal of Veracode, "Application Security Debt and Application Interest Rates" http://www.veracode.com/blog/2011/02/application-security-debt-and-application-interest-rates/ – Tate Hansen Feb 28 '11 at 05:08
  • 1
    Interesting post, and laid out in a much more eloquent way than I did. I guess being technical in nature I tend to trend more towards Hemingway than Joyce :) I've never heard of that blog before, but it's something I'm going to add to my reading list, thanks again. – mrnap Feb 28 '11 at 15:52
  • All in all, I would really recommend hiring a web app security professional who is credible in the field and has experience to take a look at your application. @mmap Okay, where do I look for one? – Kim Stacks Mar 01 '11 at 01:52
  • @keisimone Honestly, that depends on your budget. Do you have a specific range you're willing to spend? – mrnap Mar 01 '11 at 02:33
  • I am willing to pay for USD100/hr for a consultation. I paid that price for a PayPal certified Developer to advise me using Skype for about 2 hours. He was very good. He went into more than 2 hours because he wanted to ensure I knew what he was trying to advise me in. – Kim Stacks Mar 01 '11 at 04:46
  • @keisimone I really am not comfortable giving you a direct rec since I don't know many personally, and the ones I do know are more tied up in companies doing research (like TrustWave's SpiderLabs). I would recommend checking out http://security.stackexchange.com/questions/571/what-security-resources-should-a-white-hat-developer-follow-these-days/2320#2320 and seeing if there are any solid linked resources here. – mrnap Mar 02 '11 at 02:22
  • @keisimone I think you'd have good chances of finding one here - I'd be happy to put myself forward, but your needs are not my preferred specialty :) (and I'm pretty swamped now...). Typically offers of business are off-topic, but contacts can be - and have been - made, and taken offline. Alternatively, you can contact someone via the [chatroom](http://chat.stackexchange.com/rooms/151)... Also take into account re budget, it still really depends on how many hours / how much details of work you expect him to go into. – AviD Mar 03 '11 at 21:04
  • @AviD thank you. I go try the chat room. Hopefully I have the privilege to talk there – Kim Stacks Mar 04 '11 at 03:12
6

1)First and foremost master the OWASP Top 10.

2)Install a Web Application Firewall. They are requried by the payment card industry for a reason (PCI-DSS).

3)Lockdown PHP with PHPSecInfo.

5) Lockdown your database.

6)Use static code analysis like RIPS-PHP to track down serious vulnerabilities in your code.

7)Use Linux, especially Ubuntu, because AppArmor breaks exploits.

8) Last but not least, test your code web application for vulnerabilities. This doesn't have to cost a lot of money, Sitewatch has a free vulnerability scanning service.

rook
  • 47,004
  • 10
  • 94
  • 182
  • 1). In other words: validate input and limit it to a minimum, and 2). Make a **default-deny** application proxy, IDSes and IPSes are only slowing down the attacker, they don't prevent attacks. – Hubert Kario Jul 29 '11 at 11:00
  • @Hubert Kario but also test your software. – rook Jul 29 '11 at 17:35
5

In addition to @Rook's comments, if I were running a server on the Internet, I would strongly recommend using OSSEC. Great free log analysis/HIDS software. I run it on all my public facing kit.

xntrik
  • 71
  • 2
  • Thank you for the answer, xntrik. I will definitely consider this when everything is properly running. Now busy with developing. – Kim Stacks Apr 12 '11 at 08:15
0

To add to the hosting aspect: AWS facilitates a shared repsonsibility model illustrating which parts they cover and which the customer needs to take care of:

enter image description here

That means especially the application and the data in transit need to be protected by you, e.g. by implementing the already mentioned OWASP guidelines.

superuser0
  • 101
  • 1
  • 1
  • 4