Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

simple but secure website with database

Posted on 2014-02-07
17
Medium Priority
?
389 Views
Last Modified: 2014-02-17
Hi,

I (am a data warehouse architect with no web programming experience ) volunteer for an organization (with no budget) and need to create a website that will allow users to specify filter criteria, execute a query on a database based on the filter criteria, and allow the user to export the result into a spreadsheet.  Since the data is sensitive, the security must be as good as possible.

I have been researching free Microsoft products, etc.  It does not need to be pretty.  I want to select the software to be used so that I know its capabilities before starting the design.   I would appreciate any ideas.

Thanks,
Greg
0
Comment
Question by:Greg_Beam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 5
  • +2
17 Comments
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39843546
Without programming experience, you might want to look into something like quickbase.intuit.com
0
 

Author Comment

by:Greg_Beam
ID: 39843564
It looks like the cheapest plan is $300 per month.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 400 total points
ID: 39843573
Without any programming knowledge you would need to hire a programmer.
There are things like this
http://www.sqlmaestro.com/products/mysql/phpgenerator/

...but you haven't said what your database or server is...?

But for free its a big nada.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
ID: 39843665
If the data is truly sensitive, you may want to look into placing a web application firewall (WAF) in front of the web server, separating your database server from the web server, and placing a database application monitor (DAM) between the two.  A reverse proxy could be placed in front of the WAF, to cache frequent requests, and a VPN could be placed in front of the reverse proxy.

There are free products for all of these, see OpenVPN, ModSecurity (WAF), Squid (Proxy), etc.

Not being a programmer poses some learning curve issues, but looking into libraries such as DHTMLX, Kendo UI, etc. could save substantial time.  DHTMLX has a free online designer here.  Regarding server-side code, PHP is arguably easier to learn than others, and you can find website templates around the net easy enough.

In the end it's a lot to tackle if all these terms are new to you.  Perhaps suggesting to the organization that they seek interns at local tech colleges in exchange for credits and job experience would be an approach worth considering.

Windows Azure may be an affordable solution.
0
 
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 400 total points
ID: 39843749
Greg, I think you have choosen a 'mission impossible' :) In other words, you say: 'Hi, I don't know anything about programming but I need to build a secure database driven web application... Oh, my budget is  $0.00'

You probably heard about magic programs which let you to do web sites without programming knowledge but this simply is not true. You can create a web page without programming knowledge, not a whole database driven application. In addition, a must of your web app should be security and security is the most difficult task even for most experienced programmers.

I don't want to be discouraging, but get security without knowing what you're doing is impossible. Yes you can follow x66_x72_x65_x65 suggestions about firewall, VPN and so on, but don't think that will be quick and easy.
For the front-end, I would suggest to take a look at Joomla: its learning curve is good enough and it allow you do many things which usually require a lot of effort.

I can only say: good luck, guy.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39843772
I was trying to give the quick and direct answer, I am glad the others have basically backed each other up.  

x66_x72_x65_x65P has some great points and +1 for being positive, but I agree with Marco, he is making it sound much too easy although saying all the right things.  

Although I am taking in interest in wordpress this year, cms site like wordpress, joomla and drupal do take some knowledge because they rely on plug ins an the plug ins that make things easy for the non developer also make it extremely easy to be hacked.

For do it yourself sites, I prefer to send people to http://wix.com, http://www.squarespace.com/ or http://www.weebly.com as they are all in one, everything is mostly included sites including hosting.  But the problem still is a way to search, filter and export data securely.  

If you are a non profit,  you can sign up for google apps for business as a non profit www.google.com/enterprise/apps/business/¿  and get a free account.  Start here www.google.com/nonprofits/products.  Apps for business will allow you to create a website for free (not a great looking one though), and use upgraded allowances for docs and email as well has hosting your business email "yourdomain.com" which is a great email solution and worth the price of admission on it's own.

Even without google apps, you could place your data in a spreadsheet on google drive or even microsoft skydrive.  With Google drive you can protect the data so only you, or people you you add by their email account can access it.  You can also simply create a private url from google but once that is out, anybody that intercepts it can get the data.  If your team is small, you can make it a little easier to share by allowing only people in your domain to have access.

By creating the spreadsheet in the cloud, your data is going to be about as secure as it can get or you could do on your own even if you are a programmer.  Once people get access to the the spreadsheet (which you can make read only), they can do their own filtering and export.

To me, security goes beyond just how secure your data is, but user access as well.  When I create something like  you are  talking about, I typically create multi level user accounts and keep logs of when people signed in.  I have some clients where we limit the time of day they can log in and even which IP they can log in from.  Those are by no means perfect as the IP you are broadcasting can be spoofed.    I also require access only via https. How you allow download and export could pose a risk.  Even they way you allow people to log in.

The easier and least expensive it is for you to create, the easier it is for the bad guys.  It is very common (and hard) for us to think like he bad guys and therefor we tend to do things we think are secure and they are not.  

Keep in mind, no matter how seasoned you are, things happen (target, neiman marcus  and many others you hear about in the news).

Perhaps you can give us more details of how big the data is, what types of data does it contain and what are people going to be filtering.  From that, we may think of other solutions.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39843776
BTW, if you'd like learn more about security measures see http://www.experts-exchange.com/Web_Development/Miscellaneous/Q_28322298.html#a39729676

@Scott Fell (padas)
In my recommended topology, the reverse proxy redirects all HTTP (80/TCP) requests to HTTPS (443/TCP).  The proxy however, connects to the web server on the back end (via the WAF) over 80/TCP.  This allows every GET/POST/HEAD request to be inspected/dropped/modified by the WAF.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39843780
Giovanni, that is an great solution you provided. You should submit that as an article.

How can you translate that to, "....with no web programming experience...with no budget... "
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39843784
It's a time vs. money trade off.  If no money then it will cost you time.  Time necessary to learn (to program), or time required to enroll others, barter, trade, leverage, to get creative (crowd fund, recruit interns, etc.)  :-)
0
 

Author Comment

by:Greg_Beam
ID: 39844218
Hi,

Thank you for your responses!  It is a nonprofit org.  I have an MS in CS, and have coded in C and C++, some .NET and VBA, so I have a little programming experience, just not for the web.

I hoped to learn something about web development in considering doing this project, but all your cautions (which I will pass on to the requestor) will make our plans much more realistic.  Also, the discussion about what security risk can be accepted, etc.
I will investigate all of the above options, including hiring someone else (my money), but I do want to learn how to do at least part of it.

Thanks,
Greg
0
 
LVL 54

Accepted Solution

by:
Scott Fell,  EE MVE earned 800 total points
ID: 39844263
It sounds like you are most of the way there.  Look at azzure and see if it is familiar. http://www.windowsazure.com/en-us/documentation/articles/web-sites-dotnet-get-started/

If you use this as your web learning experience, it would be good to familiarize yourself with front end http://www.codecademy.com/learn.  At least go through  the modules for  html and css.  Then the basics of javascript and jquery.   A handful of hours on that will save you some frustration later.  It sounds like you already have the backend knowledge and it is just a matter of putting up an html facade.
0
 

Author Closing Comment

by:Greg_Beam
ID: 39857654
Hi,
The data does need to be secure and I see how difficult that would be based on the above.  It was mentioned that the most secure would be the cloud and Scott Fell suggested Windows Azure and where to find some training.  I have been researching Azure, and it appears MS would host our small site with maybe only 200 occasional users for free.  Also, they have many templates which I will check to find the closest one to what we need (other possible solutions have that too).  Personally, if the site were hacked, I would hope it would not be my fault since all I did is load ids and passwords to an AD.
Thank you again,
Greg
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39857746
>Personally, if the site were hacked, I would hope it would not be my fault since all I did is load ids and passwords to an AD.

That is the far from reality.  An example of "not  your fault" would be an issue from a vendor like the Plesk panel http://blog.trendmicro.com/trendlabs-security-intelligence/plesk-zero-day-exploit-results-in-compromised-webserver/.  There was a security hole they patched up that had to do with php.  However, as the webmaster, you have to keep on top of this stuff and be vigilant.

Another type of issue that would be your fault but similar is using something like wordpress and blindly installing plug ins without some thorough research and keeping up with updates.  The most common reason for WP hacks are the plug ins.

Your own scripting could be cause for concern and you may not even  know it.  

People may have passwords with dictionary words or their pets names.  They may even think they are being sneaky by adding a number or special character to an otherwise easy password.  

This is a good read on how some of this works.  http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Will using Azure be a lot safer than if you put a server in your home and hosted it by yourself, more than likely.  Will it be safer than if you used a dedicated server on a traditional host where you have to set everything up on your own?  probably.    

As the keeper of the data... it is on you to keep things safe.
0
 

Author Comment

by:Greg_Beam
ID: 39857795
Noted.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39859653
Azure was first mentioned in ID: 39843665
0
 

Author Comment

by:Greg_Beam
ID: 39860050
Yes, I see that now.  I was so intimidated by the complexity of the security issue, your mention of Azure did not register, even the second time when I went through the responses to assign points.  I am sorry I didn't notice it.  For someone new to this, I took your (and other's) description of the complexity of the security issue to heart.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39864971
No problem.  If you haven't already seen this-- I've posted a visual diagram of the topology described above here.  The first firewall blocks all inbound traffic except for 80/TCP and 443/TCP.  The reverse proxy directs 80/TCP (HTTP) to 443/TCP (HTTPS).  The connection between the reverse proxy, WAF, and actual web server is 80/TCP (HTTP) which allows the WAF to inspect/modify/drop HTTP requests.  You'd start by dropping all HTTP requests except GET, POST, HEAD, and then build from there.  The model reduces all traffic down to support the concepts of least privilege and defense in depth.

Technically, once the design is placed behind a VPN, you're creating an Extranet which is only accessible to preauthorized parties.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
The purpose of this video is to demonstrate how to manually back up a WordPress Database. This will be demonstrated using a Windows 8 PC. The Host used will be IPage.com Log into your Hosting account. IPage will be used for demonstration : Locat…
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question