One feature of 4D, in your favor.. little danger of SQL-injection :)
On Tue, Feb 25, 2014 at 4:28 PM, Mehboob Alam <[email protected]> wrote: > Jason, > > Apache proxying is very easy. Let me know if you need some hints. > > For intrusion testing, try playing with Snort > http://en.wikipedia.org/wiki/Snort_(software) > > > > > On Tue, Feb 25, 2014 at 4:20 PM, Jason Hect <[email protected]> wrote: > >> >> Last year we had a large customer (a bank) perform a security audit. >> They have come back with their list of recommendations. Most deal with >> documenting our processes, which is fine, several have to do with >> separation of duties, which will be awkward at best (I'm the only >> developer), and then there are these two points that deal directly with >> our website. On the website, the bank's customers can request supplies, >> and we collect their shipping address and account number used for payment. >> >> >> ---------------------------------------------------------------------------- >> >> The website is hosted on server side and is not designed with a 3 tier >> architecture, separating the web presentation, business logic and >> database layers onto separate servers and network zones. Remediation >> Plan: Implement 3 tier architecture, separating the web presentation, >> business logic and database layers onto separate servers and network >> zones. >> >> >> No penetration and vulnerability tests are conducted against the >> website used for processing JPMC confidential data. Remediation Plan: >> Perform penetration tests for the website and remediate any issues found. >> >> ---------------------------------------------------------------------------- >> >> For the first point, how would that work, or is it even possible with an >> Active4D / 4D hosted website? I'm thinking this means hosting the website >> with Apache (or similar) and proxying the requests as needed back to 4D. >> I've glossed over those posts in the past, as I wasn't interested in >> adding the complexity. If that's the route I need to go, I'll start doing >> some more searching, but a high level, "this is how it would work" is what >> I need now. >> >> For the second point, any recommendations for penetration testing? I'd >> probably like to do something quick and dirty and cheap/free now, just to >> see if there are any glaring issues, and then pay for a more robust test >> later to satisfy the customer? >> >> Thanks, >> Jason >> _______________________________________________ >> Active4D-dev mailing list >> [email protected] >> http://list.aparajitaworld.com/listinfo/active4d-dev >> Archives: http://active4d-nabble.aparajitaworld.com/ >> > > > > -- > > m|a > -- m|a _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
