security - Secure database and webpage against modification -
my website provides extremely sensible information (think of bank account numbers) publicly available through webpages , webservices. customers may modify these information when authentified username , password.
any hacking intrusion modify entries of database, or modify information displayed on webpage, disastrous, account numbers might incorrect , money directed malicious bank account.
do have general advices architecture make such service robust possible? not responsible in case of weak password, main concern attacks bypass authentication process , modify database without triggering alert on side; html code of webpage directly modified show different information...
thank you
in case make sure harden system possible. includes broad spectrum reaching security roles on transaction based usage of database, logging prevention of sorts of attacks sql injection, cross site scripting in general , maybe if sensible system use certificates , general ip checks (like have white list of ips allowed populate requests system not instantly refused). not mention host architecture has protected regardless of implemented security features inside system (key words: firewalls, user privileges etc.). during development process there should auto code checking software (like sonar) running detect logical errors , stuff.
then idear have second system monitor primary systems status. system should log , notify on:
changes made system (like if has access business logic , examply removes authentication logic)
changes made database not consistent primary systems state.
detect suspicious actions: banks example have rules apply on account. if used make payments within europe last time , out of nothing make huge payment lets china recive notification commit payment. payment not triggered unless second commitment of customer.
in end pointed out correctly can harden possible not make "100%" safe (at least in theory) have level of security part of total system include beeing able detect unwanted changes, identify exact changes beeing made , have information on overall status of system allow rollback or manual correction of corruptet state in case happened.
even after having implemented mentioned techniques have continously check security bugs in used frameworks, librarys , system full (like using security penetration frameworks auto try corrupt system).
what want show answer comments suggest: broad , complex topic multiple layers of security concernes have either study or have framework solutions "ensure" take care of topic (like webframeworks include basic xss prevention).
Comments
Post a Comment