> All market makers that handle big volumes of gold have to SERIOUSLY
> think about security.
Thanks for the interesting info JP! For us self taught coders that might
have educational gaps, do you have a link or protocol for security?
Anyone else? I will maintain a protocol if people are interested.
Comments on my simple one are most welcome!:
PREVENTION
+ good hosting company
- keep paper copies or their contact info
- encrypt communication (ftp, http, email)
+ login
- security image
- lockout for x hours if over x tries
- change admin logins each month
- passwords saved as md5 hashes
+ sessions
- timeout after x mins
- new session for each page
+ log
- when user changes contact info (for life of user)
- session info (for a month)
- log http requests (for a month)
- check all form submissions
+ transactions
- different data base user and password
- no password stored on site
+ backups
- daily, saved for a month
- weekly, saved for a year
- monthly
+ avoid
- javacsript
- cookies
- ms
- new stuff
- late night changes :)
DAMAGE CONTROL
- cut access until we know what is going on
- contact hosting company
- make a backup
- inform clients if necessary
- figure out what is going on
- learn and proactively fix
- bring site back up
- inform clients if necessary
I could not find anything comprehensive and good on web application
security.
For unix security I found this:
http://staff.washington.edu/dittrich/misc/security-checklist.html
Intruder detection checklist:
http://www.cert.org/tech_tips/intruder_detection_checklist.html
List of unix security tools:
http://www.cert.org/tech_tips/security_tools.html
WWW security FAQ
http://www.cert.org/tech_tips/security_tools.html
---
You are currently subscribed to e-gold-list as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s)
via the web and shopping cart interfaces to help thwart keystroke loggers and common
viruses.
