Avatar of dovidf
dovidf
Flag for United States of America asked on

How do I insure security on a website with customer and employee access?

I plan to develop an investment company website which will accept applications from customers online and which will allow the customers to review their account information. The customers will need to login to reach their accounts.

Customer information will be accessible to employees of the company and needs to be secure also.

The front end of the website will be based on php and the database will be a MySql database.

Besides SSL and a secure password for users, what else should be done to insure security for the site?
SecurityWeb Browsers

Avatar of undefined
Last Comment
dovidf

8/22/2022 - Mon
Jerry Miller

Here is a nice article that I found.

http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf

Read up on the OWASP top 10 as well:

https://www.owasp.org/index.php/Top_10_2013-Main

Learn as much as you can about web security if you are going down this path as an independent designer, you are opening yourself up for lawsuits, jail time, fines, or all three. It is wise to consult an attorney that specializes in the this type of law as well to make sure that you understand as much has possible about the security side before you take on this project.
Dave Baldwin

Since you will be dealing with financial information, something similar to PCI DSS is what you should be looking at.  https://www.pcisecuritystandards.org/security_standards/   These are the standards that all sites that process credit card info are expected to meet.  It also applies to securing data in an office environment.
The_Sassoon

First off, i think you meant "ensure" not "insure"

I think you need to think about your data. Do you want clients to have access to all data, or just theirs. You will need to figure out a way to segment users from other users data, while allowing access for employees to all data.

Also, i think you need to think about encrypting your data from unauthorized access.

I'm sure there are many other things to think about.
Your help has saved me hundreds of hours of internet surfing.
fblack61
dovidf

ASKER
jmiller1979,

Your articles are interesting but I am looking for practical advice rather than an academic study.

DaveBaldwin,

Is there a shorter compilation of the basic rules?

The_Sassoon,

Ensure is better but insure is correct according to many.

I know the basic aims but I am looking for suggestions as to efficient achievement of the goals such as physical or password separation between the application server and the database server.
ASKER CERTIFIED SOLUTION
Dave Baldwin

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Jerry Miller

Practical advice:
Learn as much as you can about web security if you are going down this path as an independent designer, you are opening yourself up for lawsuits, jail time, fines, or all three. It is wise to consult an attorney that specializes in the this type of law as well to make sure that you understand as much has possible about the security side before you take on this project.

The links were simply to aid you in learning about the process and maybe help keep you out court / jail at some future date.
dovidf

ASKER
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.