Personally, I do not believe that you will ever have completely secure data, however one way you could do it is as follows:
1) Use Linux [0] 2) Purchase a copy of "Hardening Linux" and "Hardening Apache" [1] 3) Use LUKS or similar to encrypt the hard-disk of the server so that even if the physical disk is stolen, the data is useless 4) Install everything you can _from source by yourself_ and _after_ you have verified that it came from the person that it says it has (the above books tell you how to do this!) 5) Make sure that all of your data is carried over SSL, from login to data retrieval. 6) If you need to have the system run over more than one server, run the connections between the Apache/PHP (front-end) and the MySQL (backend) servers over an ssh tunnel or VPN [2] 7) Make sure that you have documented what you have done and put an escape clause in the contract saying that you cannot guarantee the security owing to the potential ingenuity of computer crackers [3] however you are 99% certain that the system is secure. [4] 8) If all else fails, speak to the bunker (http://www.thebunker.net) and see if one of their managed hosting options fits your budget! Hope this helps, Matt [0] Seriously, use it. I don't care what people say, there is a reason why more and more multinational organisations are switching to Linux, there are at least two multinational mobile phone companies here in the UK that run their entire billing platform including customer's bank details on Linux, and they don't do it for a laugh. [1] These books are brilliant, they are available from Amazon and all good book stores! [2] There are numerous tutorials on how to do this on the internet, ssh-tunnels are far easier than VPNs IMHO. [3] I mean Crackers - hackers are people who tinker with computers and make them do things that they probably shouldn't, crackers are malicious and will be after personal data to commit ID fraud [4] If they know anything about security, especially computer security, they will acknowledge that this statement means you know what you are talking about. Out of a choice between someone who guarantees me 100% security and another who says "every so often, it may well f**k up", I'll take the second every time and appreciate their honesty. The other is just a liar. M On Mon, 2008-01-14 at 11:43 -0600, Cheryl D Wise wrote: > SSL is the first bit as long as you make sure that every page that could > possibly access the info is forced through the SSL But encrypting the > database is out of my area. I had someone else do it on the HPPA (Healthcare > Patient Privacy Act) when I did one. > > Cheryl D Wise > MS MVP Expression - Author: Foundations of Microsoft Expression Web > Win the full Expression Studio - see contest rules > http://forum.by-expression.com/forums/ShowThread.aspx?PostID=1070#1070 > > Last chance to register forJanuary 12th Expression Web and CSS classes: > http://starttoweb.com > > -----Original Message----- > From: Ross Clutterbuck [mailto:[EMAIL PROTECTED] > Sent: Monday, January 14, 2008 11:30 AM > To: wdvltalk@lists.wdvl.com > Subject: RE: [wdvltalk] Securing web traffic > > This is what I thought Cheryl, but the main thing I'm after really is > pointers on how to do it. Is it just a case of programming my PHP + > MySQL app as normal but providing HTTPS addresses to my domain and > having an SSL certificate? Is it more complex than that? > > > ____ • The WDVL Discussion List from WDVL.COM • ____ > To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or > use the web interface http://e-newsletters.internet.com/discussionlists.html/ > Send Your Posts To: wdvltalk@lists.wdvl.com > To change subscription settings, add a password or view the web interface: > http://intm-dl.sparklist.com/read/?forum=wdvltalk > > ________________ http://www.wdvl.com _______________________ > > You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] > To unsubscribe send a blank email to [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. ____ � The WDVL Discussion List from WDVL.COM � ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
