Hi Jason, My guess is that you can run the webserver from a 4D client and you can claim a 3 tier architecture(4D Server/4D Client webserver/browser)
The harder part is making sure your javascript has no business logic. The browser should only be doing presentation input/output. Any business calculations should be sent via AJAX request back to Active4D, processed, and returned back to the browser for presentation. You should do this even if all of your calculation inputs are at the browser already, so the business logic can't be seen directly by the browser. Tom D On Feb 25, 2014, at 4:20 PM, Jason Hect <[email protected]> wrote: > > Last year we had a large customer (a bank) perform a security audit. They > have come back with their list of recommendations. Most deal with > documenting our processes, which is fine, several have to do with separation > of duties, which will be awkward at best (I'm the only developer), and then > there are these two points that deal directly with our website. On the > website, the bank's customers can request supplies, and we collect their > shipping address and account number used for payment. > > ---------------------------------------------------------------------------- > > The website is hosted on server side and is not designed with a 3 tier > architecture, separating the web presentation, business logic and database > layers onto separate servers and network zones. Remediation Plan: Implement 3 > tier architecture, separating the web presentation, business logic and > database layers onto separate servers and network zones. > > > No penetration and vulnerability tests are conducted against the website > used for processing JPMC confidential data. Remediation Plan: Perform > penetration tests for the website and remediate any issues found. > ---------------------------------------------------------------------------- > > For the first point, how would that work, or is it even possible with an > Active4D / 4D hosted website? I'm thinking this means hosting the website > with Apache (or similar) and proxying the requests as needed back to 4D. > I've glossed over those posts in the past, as I wasn't interested in adding > the complexity. If that's the route I need to go, I'll start doing some more > searching, but a high level, "this is how it would work" is what I need now. > > For the second point, any recommendations for penetration testing? I'd > probably like to do something quick and dirty and cheap/free now, just to see > if there are any glaring issues, and then pay for a more robust test later to > satisfy the customer? > > Thanks, > Jason > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ > > _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
