Page 1 of 1

Creating a secure members area

Posted: Tue Dec 12, 2006 12:15 am
by mameha
I'm having some political problems at work.

My company already has a big local website in the home country which I have nothing to do with - that site is 100% HTML static and has no login area etc.

Now Ive been brought in to make an international version (from scratch, nothing is shared with the local site) for several overseas countries. I want to make a members system to provide more sensitive info only to members, and also to provide extra services to big corporate customers. In future I want to also increase this to add extra services to distributors. So it would be a level 0-10 access level type system. Higher management and the big boss are all into this idea.

Problem is the guys who make the local website, and their mates the general 'System dept.' people, are very against the members area and are throwing words like 'customer privacy' at me and basically saying we will get hacked and the customer data leaked and we will get sued / lose customers etc etc.

My counter argument is that there are tons of websites using a members area, so it cant be illegal and its not impossible to make it secure. However, due to this pressure I have removed the members area for now. They control the server so I have no SSH access and can only secure things 'my side' in the PHP code. Ive done obvious stuff like clean up inputs with mysql_real_escape_string, htmentities, addslashes, and theres some basic protection against XSS. One guy in their team said I should be using an open source CMS rather than writing my own code.

So I want to hear your opinions on how to provide such a members area securely with PHP / MySQL. Also, I'd like to know if this kind of thing is better done with JSP/Tomcat (Ive used this in the past and am kind of looking for an excuse to go back to it).

Posted: Tue Dec 12, 2006 1:01 am
by neophyte
Secure logins? Yeah you can use PHP to build secure logins. Is there a chance that some one will sniff out passwords or attack a vulnerability? Yes. Would they try it with other technologies? Yes. Is there risk? Yes. But if your superiors are like "they broke the german enigma code", then what's the point of the debate?

Posted: Tue Dec 12, 2006 8:26 pm
by phait
apart from agreeing with neophyte's last sentance I also offer the following:

moan
Reading your last sentance. If you're looking for an excuse to use JSP's please do not come on here expecting ppl to give you the reasons to go to your boss, junk php and then proffer up Java as the solution to the problem, just because you most likely feel more comfortable using it. Go to a jsp board and get some php FUD there. Oh and btw, it's not so much the technology, it's the way it is implemented, you can write crappy user logins in Java as well.
/moan

now, coming back to the initial part of your post. I'd suggest a couple of ways to attack this problem.

- speak with the boss(es) and identify if there are definite business gains from having this area. Do the competitors offer the same facility? If not, then you can offer an enhancement to the customers. If the competition do, then you are at least keeping up with them and hopefully surpassing them. It may be worth researching how the competition do their implementation, if one exists.

- work out the skill level of those causing the problems. Are they doing it because they don't know scripting languages? Are they perhaps fearful they you'll surplant their jobs (protectionism). If you really can't work with them, then you need to be clear with your boss(es) that a problem exists there. If you can identify the business gains and they have bought into them, then you need to state what you need in order for the project to succeed and make sure the boss(es) explicitly agree to them. So, things like SSH access are your requirements to get this project successfully completed - if the sys admin dudes can't give you that, get your boss to get someone who can.

- If security is really a concern of the sys admin's why not ask them to work with you to identify where the leaks might be and be patched. I'll bet there will some on the server - suggest a security audit of the current web platform by an independent assessor ;) If they just dig their heels in, is it feasible to ask your boss(es) for a separate dev / production platform hosted elsewhere? You then effectively cut off a lot of the reasons for objection and start from a place where you are happy to develop and build a good relationship with a sys admin / company that can help you do things.

- as for whether its illegal or not. Its not illegal to store data on a computer. I'm not sure where you're based, but I would say check out the data protection laws relevant to your area, and for any special ones that may apply to the business domain. The main problem comes only in being sure that you only show the right level of information to rightly authorised personnel. At the end of the day, it should be a business decision (your bosses) as to how much data is made available and what level of checks should be implemented to get to the next level of data. This may also help to build a relationship with your boss to drive the success of the project.

- if the company can afford it, get a decent independent php security assessor to work with you on the site. This will give you (and your boss) a high level of comfort when developing the application. You can then take the knowledge onto your next project :)

hth,
phait

Posted: Tue Dec 12, 2006 10:34 pm
by mameha
Thanks for our response.

I'll address each point in turn...

- competition doesnt really offer this service. bigger customers are starting to demand e-procurement. one competitor offers e-proc. but only in the US. I suppose I could offer e-proc without storing any member info on the server, if i store the info locally and just give them a username/pass then from that i can fill in the address data etc away from the webserver.

- the local homepage team dont know scripting. they are basically a collection of people of different skills (product knowledge, customer knowledge, documentation etc) but none of them have IT/web background. theres a systems dept. and one of the guys there helps them with the HTML etc, and a little PHP. he knows his stuff but he and the others in systems are extremely cold and im lucky if i can even get a reply to my emails to them. basically i am a nuisance who asks them for stuff thats difficult (SSH access, stats packages installed, apache/php version upgrade etc) and they want me to go away. Ive asked for my own server to manage but they poo-pooed that. I will ask again (and ask higher up the chain) when I am more established in the company.

- again they wotnt co-operate on this. i asked for a 3rd party to look at the site but they said theyd think about it and never got back to me. i showed them the site and asked them to check for security but they just say 'we dont know about hacking'. again 'go away please' is the message.

- they say its illegal to leak personal data here (modern country in asia). i think its a grey area, and certainly other sites are storing data on the web servers. amazon for example.

My plan is to get my own server and take the risks myself, and until that time play along with them and follow their rules.

Posted: Wed Dec 13, 2006 9:06 am
by phait
hi,
hmm, sounds like you have a few problems there. I could go over them all now, but I'm not going to as that may be a waste of time. The main thing I'd suggest you do immediately is work out just how much buy-in you have from the business for this.

Your original post mentioned about having a website for overseas customers and the way you talk in your post, it sounds as if you have added the members area as an addition to the site that you think should be there? Does the business think it should be there (when I say business, I mean your boss, the big boss, not the sys admin guys or the other web guy - they don't pay your wages - your boss does.)

To cut to the chase, unless you can get some backup from the business higher up, and quickly, I think you are going to find things get more frustrating for you because its going to be you against the incumbent web guy and sys admins for each new addition that involves something that they either have never heard of, know little about or sounds like hard work to them.

If the members area is something more of a "nice to have" and not a core part of your project then it may be best to complete the initial project and whilst doing that, plant the seeds for the members area. Send links to your boss for other similar implementations, make them aware of what the competition are doing, make them aware of where you think they can get ahead of the competition. But you will need that buy in to really get anywhere otherwise, the first time someone questions it, you're gonna have to down tools whilst you justify your actions or future intentions.


My plan is to get my own server and take the risks myself, and until that time play along with them and follow their rules.
That way lies madness and possibly losing your job. You get paid to do your job, if the company won't support you in doing that or do not trust you to do that, then I would question your position at that company and the values of the company itself.

- they say its illegal to leak personal data here (modern country in asia). i think its a grey area, and certainly other sites are storing data on the web servers. amazon for example.
heh :) yeah it's illegal to leak personal data here as well. Thing is, when people are building members' areas, it is not with the intention of leaking data. This is not legal advice, but if you can show you have taken all reasonable precautions to secure the data and you till get hacked then you have a good case to go to the police and look for prosecution. After all, multi-national banks still get hacked, both externally and internally and it's not like they intend to leak data. :)

You really need to get some sort of assurance from your boss that this is where the business wants to go and support you in moving in that direction IMHO.

cheers,
phait

Posted: Wed Dec 13, 2006 6:18 pm
by mameha
Thanks for your comment.s

There is support from the higher management. the main boss for overseas marketing, and the company president himself are for the members area idea. So it will happen in future.

My problem is day to day stuff where I need things done on the server, but I dont have access so I have to ask the systems guy who just makes it as hard as possible to get stuff done. For example installing awstats - he wont do it and sent me the weblogs and told me to install it on my local machine. for example upgrading to apache 2 or php 5 - answer is no, even though they are hardly using php their side. This to me is all basic stuff I should be in charge of myself, but instead I have to go through them 'for security'. ie. lack of trust.

anyway i think things will sort themselves out over time, i just need to learn how to 'leverage' my ideas better so it is someone else telling systems this will happen rather than me. this country has very much a heirarchy thing going on within companies regarding age and time spent in the company. skills, ideas, knowledge etc are not a factor in terms of the respect given to you.