Last year we had a large customer (a bank) perform a security audit. They have come back with their list of recommendations. Most deal with documenting our processes, which is fine, several have to do with separation of duties, which will be awkward at best (I'm the only developer), and then there are these two points that deal directly with our website. On the website, the bank's customers can request supplies, and we collect their shipping address and account number used for payment. ----------------------------------------------------------------------------
The website is hosted on server side and is not designed with a 3 tier architecture, separating the web presentation, business logic and database layers onto separate servers and network zones. Remediation Plan: Implement 3 tier architecture, separating the web presentation, business logic and database layers onto separate servers and network zones. No penetration and vulnerability tests are conducted against the website used for processing JPMC confidential data. Remediation Plan: Perform penetration tests for the website and remediate any issues found. ---------------------------------------------------------------------------- For the first point, how would that work, or is it even possible with an Active4D / 4D hosted website? I'm thinking this means hosting the website with Apache (or similar) and proxying the requests as needed back to 4D. I've glossed over those posts in the past, as I wasn't interested in adding the complexity. If that's the route I need to go, I'll start doing some more searching, but a high level, "this is how it would work" is what I need now. For the second point, any recommendations for penetration testing? I'd probably like to do something quick and dirty and cheap/free now, just to see if there are any glaring issues, and then pay for a more robust test later to satisfy the customer? Thanks, Jason _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
