Link to home
Start Free TrialLog in
Avatar of dovidf
dovidfFlag for United States of America

asked on

How do I insure security on a website with customer and employee access?

I plan to develop an investment company website which will accept applications from customers online and which will allow the customers to review their account information. The customers will need to login to reach their accounts.

Customer information will be accessible to employees of the company and needs to be secure also.

The front end of the website will be based on php and the database will be a MySql database.

Besides SSL and a secure password for users, what else should be done to insure security for the site?
Avatar of Jerry Miller
Jerry Miller
Flag of United States of America image

Here is a nice article that I found.

http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf

Read up on the OWASP top 10 as well:

https://www.owasp.org/index.php/Top_10_2013-Main

Learn as much as you can about web security if you are going down this path as an independent designer, you are opening yourself up for lawsuits, jail time, fines, or all three. It is wise to consult an attorney that specializes in the this type of law as well to make sure that you understand as much has possible about the security side before you take on this project.
Avatar of Dave Baldwin
Since you will be dealing with financial information, something similar to PCI DSS is what you should be looking at.  https://www.pcisecuritystandards.org/security_standards/   These are the standards that all sites that process credit card info are expected to meet.  It also applies to securing data in an office environment.
Avatar of The_Sassoon
The_Sassoon

First off, i think you meant "ensure" not "insure"

I think you need to think about your data. Do you want clients to have access to all data, or just theirs. You will need to figure out a way to segment users from other users data, while allowing access for employees to all data.

Also, i think you need to think about encrypting your data from unauthorized access.

I'm sure there are many other things to think about.
Avatar of dovidf

ASKER

jmiller1979,

Your articles are interesting but I am looking for practical advice rather than an academic study.

DaveBaldwin,

Is there a shorter compilation of the basic rules?

The_Sassoon,

Ensure is better but insure is correct according to many.

I know the basic aims but I am looking for suggestions as to efficient achievement of the goals such as physical or password separation between the application server and the database server.
ASKER CERTIFIED SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Practical advice:
Learn as much as you can about web security if you are going down this path as an independent designer, you are opening yourself up for lawsuits, jail time, fines, or all three. It is wise to consult an attorney that specializes in the this type of law as well to make sure that you understand as much has possible about the security side before you take on this project.

The links were simply to aid you in learning about the process and maybe help keep you out court / jail at some future date.