Jason, Apache proxying is very easy. Let me know if you need some hints.
For intrusion testing, try playing with Snort http://en.wikipedia.org/wiki/Snort_(software) On Tue, Feb 25, 2014 at 4:20 PM, Jason Hect <[email protected]> wrote: > > Last year we had a large customer (a bank) perform a security audit. > They have come back with their list of recommendations. Most deal with > documenting our processes, which is fine, several have to do with > separation of duties, which will be awkward at best (I'm the only > developer), and then there are these two points that deal directly with > our website. On the website, the bank's customers can request supplies, > and we collect their shipping address and account number used for payment. > > > ---------------------------------------------------------------------------- > > The website is hosted on server side and is not designed with a 3 tier > architecture, separating the web presentation, business logic and database > layers onto separate servers and network zones. Remediation Plan: > Implement 3 tier architecture, separating the web presentation, business > logic and database layers onto separate servers and network zones. > > > No penetration and vulnerability tests are conducted against the website > used for processing JPMC confidential data. Remediation Plan: Perform > penetration tests for the website and remediate any issues found. > > ---------------------------------------------------------------------------- > > For the first point, how would that work, or is it even possible with an > Active4D / 4D hosted website? I'm thinking this means hosting the website > with Apache (or similar) and proxying the requests as needed back to 4D. > I've glossed over those posts in the past, as I wasn't interested in > adding the complexity. If that's the route I need to go, I'll start doing > some more searching, but a high level, "this is how it would work" is what > I need now. > > For the second point, any recommendations for penetration testing? I'd > probably like to do something quick and dirty and cheap/free now, just to > see if there are any glaring issues, and then pay for a more robust test > later to satisfy the customer? > > Thanks, > Jason > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ > -- m|a _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
