On Monday 27 April 2009, Pete Theisen wrote:
> Hi Everybody!
>
> Is security especially problematic in open source? I have personally
> only had one event to my website, but if the source code for a web
> application is out there, it seems that an attacker has an advantage.
Actually, the situation is more reversed.
Criminal hackers figure out how to gain access via any number of methods.
Computer owners being mostly stupid on the subject of security are not and
rely on the community to inform them. The underworld knows the holes in your
computer, should you not?
On closed source very few people can see the source, whereas with open source
it is at least possible for having more eyes on the code.
I don't know if you caught it, but a few years ago MS sent some of their top
people to talk with a known security consultant. On of his comments
afterwords was that the MS people were brilliant, but completely ignorant on
the subject of security.
Having people who actually know what secure code looks like, look at the code
is the best hope for everyone. The original Unix design did not really have
security in mind, but because the design being so modular it is not hard to
implement. Of course we have come a looong way since those early days.
>
> I am planning a Python application on the Dabo <http://dabodev.com/>
> framework, both are open source. The data on a web server will be of the
> type that is HIPAA protected so the security has to be pretty good. The
> people interested in stealing the data will be insurance companies so
> they will presumably have really good crackers working for them.
I really doubt they do.
> On advice, I was thinking of requiring WPA for wireless users (or use
> hard wire) and using a SSL tunnel to the server. Also, I intend to keep
> the personal contact information separate from the case data.
Security is about having many layers. Look at what will have access to the
sensitive data. The application will be accessable from other computers - who
has access to those? Encrypting the data means it's harder to get to unless
its easy to "own" the program that has access, or keeps the key. (I would
read up on "best practices" to see how things are generally done to protect
HIPAA type data. Then at least you would be on equal footing with them.)
It's similar to thinking that because you have a VPN (virtual private network)
between your office and home that it makes the company data safe. However, if
your home computer is "owned" then your office is probably too, right through
that secure VPN. If you also look on how easy it is to own someone browsing
with IE, you can see that all that is needed is to hit the wrong website with
it and you have created a personal access tunnel to your office for some
hacker.
(Talking about VPN - if possible, never, ever, use MS VPN as it is one massive
hole.)
Then, if at all possible, have time limits on when access is allowed. Limit it
to when there is staff present who can respond to some early alert that is
implemented, to let you know unusual activity is occurring, and give you time
to respond and hopefully close them down before the attack is successful.
Have written procedure as to the steps to take when alerts go off. I once
installed a dual firewall system where the border gateway would notify the
second when certain activities would occur, which would then block all remote
access. But that is not always possible given the need to have access.
In the end you have to balance security and workability.
> Anybody have any other or additional ideas? Thanks for any input.
Read up on how to write securely in Python. Go over posts in places like
insecure.org, Bugtraq, Full Disclosure and see what issues shows up. Holes
are often discussed and it could give you a headstart in knowing how secure
any particular thing is.
Of course you won't read it all but you search their posts for things like
dabo. How to secure Python is widely known, and easy to find though Google.
After a few hours you should be able to get a good general overview of the
field.
Understand that none of the wireless protocols are fully secure, all but a
secret one the army uses (?), have been broken.
Also be aware of the law. A "new" law came into effect in California which not
only puts a penalty on any company not disclosing any potential break in
where loss of your personal data (like SS, CC, DL) could have occurred, but
the laws say you are open for class action suits.
You can also hire a company like securityspace.com to look at your
implementation.
--Steve Szmidt
"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:46:10 EDT