Securing our website

Let's start at the beginning.  A few years ago, we developed an application that was web based.  It assisted corporate customers in managing their purchasing needs.  The application has security built into it in the form of a user ID and password.  Very early in the deployment we discovered that if a user logged into the system, browsed to a document (PDF) or a data page, they could copy and paste the URL in to another browser andsee the document or data with out having to log back in. So, we purchased an application that protects each secure resource and validates that the user has a login cookie in the browser before passing the request to our application.  If the user tried to copy and paste the URL into a browser without the secure cookie, it prompts the user for credentials before displaying the information.  Very similar process for most web sites.  For instance, if I log into my checking account, view my transactions page and then try to cut and paste the transaction page URL into another browser, my bank login page appears not my transaction page.

So now, to the problem, the product we currently use is very expensive and for very large customer it becomes cost prohibitive.  The data we are securing is not national security stuff, no Credit Card numbers, no Social Security Numbers, not personal information, just data about what that company buys and what it pays for the products.  It certainly is confidential, but doesn't need this level of security.  So how can I prevent the security problem above without costing an arm and a leg?
sfletcher1959VPAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zstapicCommented:
Well, if a user can simply access secure data by entering URL, that's a really big programming flaw. Recently I've been programming web application that restrict access. It's rather simple. If you use say, PHP you can use SESSIONS. When user log's into your web page you write a session in the cookie.
If you're a programmer i suggest you to implement this. So in you're code there is a simple if. Like this:
if(isset($_SESSION["user"]))
in the variable user, you can write the hash code of his password, and some secret key so it's hard to guess the content of your cookie.
So if you paste the code, and this if clause is not met, bye bye unauthorized user :)

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TurboBorlandCommented:
If you are using Apache, use .htaccess protection.  You can either secure a directory (if you want to place all of your documents that you want secured into one or several directories) or you could simply secure particular extensions (like .pdf) and allow different usernames/passwords by creating a .htpasswd file.
http://www.ssi-developer.net/htaccess/htaccess_protection_file.shtml
Make sure to also deny access to this .htpasswd file and place it outside of your website's root directory.
0
Kelvin_KingCommented:
I agree with zstapic.

What you have just described is a complete lapse in proper coding standards, as testing in your companies developers and testing team.

The fact that it was approved to go online with such issues already shows there's something wrong with your software development life cycle.

I believe this is an issue with your development life cycle, and the problem should not be fixed by purchasing another product to cover it up.

To fix the problem I have a few suggestions:

1. Build staff competancies

Send your developers for some training in developing web applications (most course now a days have a few dedicated modules to security). Better still, if you can send them for courses on developing "SECURE" web applications.

Also, send them for course on security and the software development life cycle.

Hire project managers that are aware of the secure development life cycle.

Some references:
http://msdn.microsoft.com/en-us/library/ms995349.aspx
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1174897,00.html

2. Building up the competancies of your developers takes time. So, you'll need tools that are able to test your application and verify it's correctness. Tools such as static code analyzers come to mind, there are many good ones out there. I recommend (and have personally used):

www.parasoft.com
www.fortify.com

They have automated code analysis and unit testing which actually test your applications as if you were running. The draw back is they do *almost* cost an arm and a leg.

But, you'll need to invest *some* money into IT security. Expertise does not just fall from the sky and onto your lap.

Hope that helps
Kelvin
0
jahboiteCommented:
Agreed.  The use of sessions is what you need (and indeed what should have been in place from the start).  There's a good rundown of some of the methods of session management at http://www.technicalinfo.net/papers/WebBasedSessionManagement.html.

Of course, you'll need to learn how to implement sessions in the language used by your application.  There's also good information at OWASP http://www.owasp.org/index.php/Session_Management
0
TurboBorlandCommented:
Just make sure to read that OWASP link and not just implement isset($_SESSION as mentioned as a base/start example above.  Session hijacking is actually a fairly common practice among attackers, especially when someone can eavesdrop on your network connection in some way.  
Some think that implementing secure protocols for your web traffic (ie SSL/TLS, SFTP, etc.) would protect you against that.  However, now you're talking about securing that traffic and hoping you didn't implement it wrong.  In ways where I could force normal traffic over your non-secured protocol in various ways through MiTM techniques.
We also need the session to regenerate on login.  Otherwise I might be able to send you a link or force a query that actually sets my own made-up session when you login.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.