Tuesday, February 25, 2014 10:29:39 PM Hi Jason,
I'm not a security expert, but I would think: > 3 tier architecture, separating the web presentation, business logic and > database layers onto separate servers and network zones could be accomplished by using Apache (or similar) web server (web presentation) <-> 4D Client web server with Active4D (business logic) <-> 4D Server (database). Of course, there's significant advantages to this setup beyond just meeting the security requirements for this audit; you can offload all static content to Apache (speeding up the web server), and having the 4D database on a separate computer from the 4D web server client is a much more secure setup (if the 4D client goes down or is hacked, that does offer some protection for the 4D database, particularly if it's behind a firewall). Yes, a lot more complex to set up, but may be worth it beyond just getting it past the security audit. Not sure what's required for "penetration and vulnerability tests"; please post back with any solutions you come up with. You can do some simple stress testing using: http://www.loadui.org/ but not sure if this is really sufficient to qualify as "penetration and vulnerability tests". Hope this helps; again, please keep us posted on how you resolve this. Am definitely interested! Cheers! Michael Larue -------------------- On Feb 25, 2014, at 10:20 PM, Jason Hect wrote: > > Last year we had a large customer (a bank) perform a security audit. They > have come back with their list of recommendations. Most deal with > documenting our processes, which is fine, several have to do with separation > of duties, which will be awkward at best (I'm the only developer), and then > there are these two points that deal directly with our website. On the > website, the bank's customers can request supplies, and we collect their > shipping address and account number used for payment. > > ---------------------------------------------------------------------------- > > The website is hosted on server side and is not designed with a 3 tier > architecture, separating the web presentation, business logic and database > layers onto separate servers and network zones. Remediation Plan: Implement 3 > tier architecture, separating the web presentation, business logic and > database layers onto separate servers and network zones. > > > No penetration and vulnerability tests are conducted against the website > used for processing JPMC confidential data. Remediation Plan: Perform > penetration tests for the website and remediate any issues found. > ---------------------------------------------------------------------------- > > For the first point, how would that work, or is it even possible with an > Active4D / 4D hosted website? I'm thinking this means hosting the website > with Apache (or similar) and proxying the requests as needed back to 4D. > I've glossed over those posts in the past, as I wasn't interested in adding > the complexity. If that's the route I need to go, I'll start doing some more > searching, but a high level, "this is how it would work" is what I need now. > > For the second point, any recommendations for penetration testing? I'd > probably like to do something quick and dirty and cheap/free now, just to see > if there are any glaring issues, and then pay for a more robust test later to > satisfy the customer? > > Thanks, > Jason > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
