Jason, If you do proxy, one additional recommendation is to only allow Apache to proxy to Active4D. IIRC this was easy to do if you were running an NTK-based web server, but more difficult with 4D's built-in web server. That may have changed though. If 4D/Active4D is serving on port 8080 you don't want an end user to be able to go to http://mysite.com:8080/somepage.a4d.
Ideally they'd like for your Web Server (Apache, nginx, etc) to be running on a different server than 4D/Active4D, but doubt very few people do that in practice. - Brad Perkins On 2/25/14 2:28 PM, "Mehboob Alam" <[email protected]> wrote: >Jason, > >Apache proxying is very easy. Let me know if you need some hints. > >For intrusion testing, try playing with Snort >http://en.wikipedia.org/wiki/Snort_(software) > > > > >On Tue, Feb 25, 2014 at 4:20 PM, Jason Hect <[email protected]> wrote: > >> >> Last year we had a large customer (a bank) perform a security audit. >> They have come back with their list of recommendations. Most deal >>with >> documenting our processes, which is fine, several have to do with >> separation of duties, which will be awkward at best (I'm the only >> developer), and then there are these two points that deal directly with >> our website. On the website, the bank's customers can request >>supplies, >> and we collect their shipping address and account number used for >>payment. >> >> >> >>------------------------------------------------------------------------- >>--- >> >> The website is hosted on server side and is not designed with a 3 tier >> architecture, separating the web presentation, business logic and >>database >> layers onto separate servers and network zones. Remediation Plan: >> Implement 3 tier architecture, separating the web presentation, >>business >> logic and database layers onto separate servers and network zones. >> >> >> No penetration and vulnerability tests are conducted against the >>website >> used for processing JPMC confidential data. Remediation Plan: Perform >> penetration tests for the website and remediate any issues found. >> >> >>------------------------------------------------------------------------- >>--- >> >> For the first point, how would that work, or is it even possible with an >> Active4D / 4D hosted website? I'm thinking this means hosting the >>website >> with Apache (or similar) and proxying the requests as needed back to 4D. >> I've glossed over those posts in the past, as I wasn't interested in >> adding the complexity. If that's the route I need to go, I'll start >>doing >> some more searching, but a high level, "this is how it would work" is >>what >> I need now. >> >> For the second point, any recommendations for penetration testing? I'd >> probably like to do something quick and dirty and cheap/free now, just >>to >> see if there are any glaring issues, and then pay for a more robust test >> later to satisfy the customer? >> >> Thanks, >> Jason >> _______________________________________________ >> Active4D-dev mailing list >> [email protected] >> http://list.aparajitaworld.com/listinfo/active4d-dev >> Archives: http://active4d-nabble.aparajitaworld.com/ >> > > > >-- > >m|a >_______________________________________________ >Active4D-dev mailing list >[email protected] >http://list.aparajitaworld.com/listinfo/active4d-dev >Archives: http://active4d-nabble.aparajitaworld.com/ > _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
