On Thu, Nov 22, 2018 at 02:21:41PM -0800, Misc User wrote: > I'd look for software that has bug bounties. I'd also look at the CVEs for > each product and compare with the patch history. The delay between a flaw > being reported versus patched is going to be a much better indicator than
Yes, that would be very true. Too slow could mean it's not being taken seriously enough. Which could mean the same for known, but unreported flaws. Good advice. > rate of patches. I'd also consider the seriousness of the flaw being > patched as well, like if it is due to a widespread issue (EG, Metldown, > heartbleed, etc) or if it is due to some basic programming error (Apple's > "enter a blank password for root enough times and you'll get root" or > Microsoft's "patching Windows 10 will obliterate your install because of a > typo in the patch code that is supposed to leave c:\users\ alone"). > Yes, Windows 10 got wiped out the first try after seeing three of their 6 month updates needing to try about 8 times eating up about days of time I wanted to use. > Also, look for something that could support external authentication, > especially something industry standard like LDAP, so you can use the > authentication database all your service can use while not relying on > whoever wrote the individual bits of software to have written something that > doesn't suck. Yeah, good plan. I've written fair amount of software that worked, but sucked. >Also look for something that will allow the admin pages to be > hosted on a different url from the user accessible stuff. > > If you are handling payment or financial information, outsource it to > something like paypal or another well-known payment processor. While they > aren't very secure, they are insured, so if they fuck something up, you > aren't holding the bag and are very unlikely to be blamed for it by your > users. > Yes, I have used PayPal for my business. Not very active now, but I really liked not being directly in the middle. "You are now being directed to PayPal, we do not ever have any of your credit card info." was very nice to say. Yes, they do fuck things up. Got me once when they just decided to change the phone number formatting without announcing it. > As for number of servers, more than one is going to be the better way. If > something has a port accessible by any old rando, you shouldn't be storing > anything secure on it. Especially if the server also stores something the > user can craft (EG, photos from the forum, arbitrary text, etc). > Dealing with that has had me really concerned. People really want to upload all kinds of stuff. That's a good idea. > As for ISPs, just assume they are all total shit (Most of them are anyway) > and treat them like you would an open wireless network. Don't use their DNS > and encrypt everything you can. Use static IPs if you can. Don't allow > passwords for ssh on anything public facing. Only allow admin pages to be > accessible from a private network (So that you'd need to use an ssh tunnel > to get to it remotely) Alright. Thanks. This is helpful. Someone suggested off-list that I make up a flow chart to plan out each step that needs to be taken. I'm getting good advice now to help me start that. It's tough to pull this off. But then, when is easy ever any real fun! :-} Chris Bennett
