Solved

simple but secure website with database

Posted on 2014-02-07
17
372 Views
Last Modified: 2014-02-17
Hi,

I (am a data warehouse architect with no web programming experience ) volunteer for an organization (with no budget) and need to create a website that will allow users to specify filter criteria, execute a query on a database based on the filter criteria, and allow the user to export the result into a spreadsheet.  Since the data is sensitive, the security must be as good as possible.

I have been researching free Microsoft products, etc.  It does not need to be pretty.  I want to select the software to be used so that I know its capabilities before starting the design.   I would appreciate any ideas.

Thanks,
Greg
0
Comment
Question by:Greg_Beam
  • 5
  • 5
  • 5
  • +2
17 Comments
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
Without programming experience, you might want to look into something like quickbase.intuit.com
0
 

Author Comment

by:Greg_Beam
Comment Utility
It looks like the cheapest plan is $300 per month.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 100 total points
Comment Utility
Without any programming knowledge you would need to hire a programmer.
There are things like this
http://www.sqlmaestro.com/products/mysql/phpgenerator/

...but you haven't said what your database or server is...?

But for free its a big nada.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 100 total points
Comment Utility
If the data is truly sensitive, you may want to look into placing a web application firewall (WAF) in front of the web server, separating your database server from the web server, and placing a database application monitor (DAM) between the two.  A reverse proxy could be placed in front of the WAF, to cache frequent requests, and a VPN could be placed in front of the reverse proxy.

There are free products for all of these, see OpenVPN, ModSecurity (WAF), Squid (Proxy), etc.

Not being a programmer poses some learning curve issues, but looking into libraries such as DHTMLX, Kendo UI, etc. could save substantial time.  DHTMLX has a free online designer here.  Regarding server-side code, PHP is arguably easier to learn than others, and you can find website templates around the net easy enough.

In the end it's a lot to tackle if all these terms are new to you.  Perhaps suggesting to the organization that they seek interns at local tech colleges in exchange for credits and job experience would be an approach worth considering.

Windows Azure may be an affordable solution.
0
 
LVL 30

Assisted Solution

by:Marco Gasi
Marco Gasi earned 100 total points
Comment Utility
Greg, I think you have choosen a 'mission impossible' :) In other words, you say: 'Hi, I don't know anything about programming but I need to build a secure database driven web application... Oh, my budget is  $0.00'

You probably heard about magic programs which let you to do web sites without programming knowledge but this simply is not true. You can create a web page without programming knowledge, not a whole database driven application. In addition, a must of your web app should be security and security is the most difficult task even for most experienced programmers.

I don't want to be discouraging, but get security without knowing what you're doing is impossible. Yes you can follow x66_x72_x65_x65 suggestions about firewall, VPN and so on, but don't think that will be quick and easy.
For the front-end, I would suggest to take a look at Joomla: its learning curve is good enough and it allow you do many things which usually require a lot of effort.

I can only say: good luck, guy.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
I was trying to give the quick and direct answer, I am glad the others have basically backed each other up.  

x66_x72_x65_x65P has some great points and +1 for being positive, but I agree with Marco, he is making it sound much too easy although saying all the right things.  

Although I am taking in interest in wordpress this year, cms site like wordpress, joomla and drupal do take some knowledge because they rely on plug ins an the plug ins that make things easy for the non developer also make it extremely easy to be hacked.

For do it yourself sites, I prefer to send people to http://wix.com, http://www.squarespace.com/ or http://www.weebly.com as they are all in one, everything is mostly included sites including hosting.  But the problem still is a way to search, filter and export data securely.  

If you are a non profit,  you can sign up for google apps for business as a non profit www.google.com/enterprise/apps/business/¿  and get a free account.  Start here www.google.com/nonprofits/products.  Apps for business will allow you to create a website for free (not a great looking one though), and use upgraded allowances for docs and email as well has hosting your business email "yourdomain.com" which is a great email solution and worth the price of admission on it's own.

Even without google apps, you could place your data in a spreadsheet on google drive or even microsoft skydrive.  With Google drive you can protect the data so only you, or people you you add by their email account can access it.  You can also simply create a private url from google but once that is out, anybody that intercepts it can get the data.  If your team is small, you can make it a little easier to share by allowing only people in your domain to have access.

By creating the spreadsheet in the cloud, your data is going to be about as secure as it can get or you could do on your own even if you are a programmer.  Once people get access to the the spreadsheet (which you can make read only), they can do their own filtering and export.

To me, security goes beyond just how secure your data is, but user access as well.  When I create something like  you are  talking about, I typically create multi level user accounts and keep logs of when people signed in.  I have some clients where we limit the time of day they can log in and even which IP they can log in from.  Those are by no means perfect as the IP you are broadcasting can be spoofed.    I also require access only via https. How you allow download and export could pose a risk.  Even they way you allow people to log in.

The easier and least expensive it is for you to create, the easier it is for the bad guys.  It is very common (and hard) for us to think like he bad guys and therefor we tend to do things we think are secure and they are not.  

Keep in mind, no matter how seasoned you are, things happen (target, neiman marcus  and many others you hear about in the news).

Perhaps you can give us more details of how big the data is, what types of data does it contain and what are people going to be filtering.  From that, we may think of other solutions.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
BTW, if you'd like learn more about security measures see http://www.experts-exchange.com/Web_Development/Miscellaneous/Q_28322298.html#a39729676

@Scott Fell (padas)
In my recommended topology, the reverse proxy redirects all HTTP (80/TCP) requests to HTTPS (443/TCP).  The proxy however, connects to the web server on the back end (via the WAF) over 80/TCP.  This allows every GET/POST/HEAD request to be inspected/dropped/modified by the WAF.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
Giovanni, that is an great solution you provided. You should submit that as an article.

How can you translate that to, "....with no web programming experience...with no budget... "
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
It's a time vs. money trade off.  If no money then it will cost you time.  Time necessary to learn (to program), or time required to enroll others, barter, trade, leverage, to get creative (crowd fund, recruit interns, etc.)  :-)
0
 

Author Comment

by:Greg_Beam
Comment Utility
Hi,

Thank you for your responses!  It is a nonprofit org.  I have an MS in CS, and have coded in C and C++, some .NET and VBA, so I have a little programming experience, just not for the web.

I hoped to learn something about web development in considering doing this project, but all your cautions (which I will pass on to the requestor) will make our plans much more realistic.  Also, the discussion about what security risk can be accepted, etc.
I will investigate all of the above options, including hiring someone else (my money), but I do want to learn how to do at least part of it.

Thanks,
Greg
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 200 total points
Comment Utility
It sounds like you are most of the way there.  Look at azzure and see if it is familiar. http://www.windowsazure.com/en-us/documentation/articles/web-sites-dotnet-get-started/

If you use this as your web learning experience, it would be good to familiarize yourself with front end http://www.codecademy.com/learn.  At least go through  the modules for  html and css.  Then the basics of javascript and jquery.   A handful of hours on that will save you some frustration later.  It sounds like you already have the backend knowledge and it is just a matter of putting up an html facade.
0
 

Author Closing Comment

by:Greg_Beam
Comment Utility
Hi,
The data does need to be secure and I see how difficult that would be based on the above.  It was mentioned that the most secure would be the cloud and Scott Fell suggested Windows Azure and where to find some training.  I have been researching Azure, and it appears MS would host our small site with maybe only 200 occasional users for free.  Also, they have many templates which I will check to find the closest one to what we need (other possible solutions have that too).  Personally, if the site were hacked, I would hope it would not be my fault since all I did is load ids and passwords to an AD.
Thank you again,
Greg
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
>Personally, if the site were hacked, I would hope it would not be my fault since all I did is load ids and passwords to an AD.

That is the far from reality.  An example of "not  your fault" would be an issue from a vendor like the Plesk panel http://blog.trendmicro.com/trendlabs-security-intelligence/plesk-zero-day-exploit-results-in-compromised-webserver/.  There was a security hole they patched up that had to do with php.  However, as the webmaster, you have to keep on top of this stuff and be vigilant.

Another type of issue that would be your fault but similar is using something like wordpress and blindly installing plug ins without some thorough research and keeping up with updates.  The most common reason for WP hacks are the plug ins.

Your own scripting could be cause for concern and you may not even  know it.  

People may have passwords with dictionary words or their pets names.  They may even think they are being sneaky by adding a number or special character to an otherwise easy password.  

This is a good read on how some of this works.  http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Will using Azure be a lot safer than if you put a server in your home and hosted it by yourself, more than likely.  Will it be safer than if you used a dedicated server on a traditional host where you have to set everything up on your own?  probably.    

As the keeper of the data... it is on you to keep things safe.
0
 

Author Comment

by:Greg_Beam
Comment Utility
Noted.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
Azure was first mentioned in ID: 39843665
0
 

Author Comment

by:Greg_Beam
Comment Utility
Yes, I see that now.  I was so intimidated by the complexity of the security issue, your mention of Azure did not register, even the second time when I went through the responses to assign points.  I am sorry I didn't notice it.  For someone new to this, I took your (and other's) description of the complexity of the security issue to heart.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
No problem.  If you haven't already seen this-- I've posted a visual diagram of the topology described above here.  The first firewall blocks all inbound traffic except for 80/TCP and 443/TCP.  The reverse proxy directs 80/TCP (HTTP) to 443/TCP (HTTPS).  The connection between the reverse proxy, WAF, and actual web server is 80/TCP (HTTP) which allows the WAF to inspect/modify/drop HTTP requests.  You'd start by dropping all HTTP requests except GET, POST, HEAD, and then build from there.  The model reduces all traffic down to support the concepts of least privilege and defense in depth.

Technically, once the design is placed behind a VPN, you're creating an Extranet which is only accessible to preauthorized parties.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Foolproof security solutions has become one of the key necessities of every e-commerce or Internet banking website. If you too own an online shopping site then its vital for you to equip your web portal with customer security features that can allow…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…
The purpose of this video is to demonstrate how to integrate Mailchimp with Facebook. This will be demonstrated using a Windows 8 PC. Mailchimp and Facebook will be used. Log into your Mailchimp account. : Click on your name. Go to Account Setti…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now