pTools - Content Management IS Content Security
Jun 16, 2011There's a lot happening around data security and fears about Cloud are only adding to the storm. I am a little sceptical about some of the pronouncements by the security establishment and prefer to encourage pTools customers to concentrate on the nuts and bolts, or should I say lock and key elements of the security challenge. To that end we've drawn up a basic check list for content security. It is by no means exhaustive and it's not listed in order of significance, but we think it's worth considering. Here's the list below, and the downloads in plain text and PDF format, as well as a link to one of those very same security establishment documents, for good measure:
PTOOLS CONTENT SECURITY CHECK LIST BASICS
- Always consider transport-layer security and ensure all unnecessary ports are blocked at the front-end firewall.
- Avoid the physical unauthorized access to the servers, routers and any other equipment.
- Ensure each process, application or user on the server uses the minimum rights required to perform the job.
- Use a regular testing/vulnerabilities scan for all web-facing servers/services.
- Separate website front-end from back-end (CMS) and try not to use web-facing applications on database server.
- Never store passwords and other critical information in plain-text, always encrypt them.
- Permanently monitor system logs: web-server (IIS, Apache) logs, database logs, firewall logs, SNMP etc.
- Use SSL certification for all critical content including passwords and not just CC details.
- Apply the latest updates and security patches to the system OS, applications, database engines, etc.
- Carefully generate search engines directives e.g. robots.txt. Be careful what you want search engines to access.
- Do not run processes on the server from the root/administrator account.
- Use safe protocols for server/scripts updates i.e. SFTP and SSH instead of FTP or Telnet.
- Don't use the "execute" rights for directories/folders available to front-end users for upload functionality.
- Always split the physical locations of scripts/apps files from user uploaded files.
- Don't use the GET method to apply changes to database records, use POST only.
- Don't use direct SQL queries on system front-end functionality, use binding protocols only.
- Don't use front-end users data in email headers and always generate email headers from the server.
- Always use data validation on front-end input fields.
- Do not accept any cross-site scripting.
- Follow the latest standards and recommendations during deployment. We think one of the best documents to reference is: http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
- Remember, it's better to compromise functionality rather than compromise security.
By the way, this check list is not for hard-core security geeks, but anyone involved in a deployment should be able to understand at least ten of the twenty or so points made. OK, five will get you a pass!
Links Here:
Security Checklist.pdf (size 186.4 KB)
Security Checklist.txt (size 2.5 KB)
Tom Skinner is Managing Director / CEO of pTools Software. Before joining pTools he worked with LG Electronics and the Irish Board of Trade in product development. Tom's work with pTools ranges from business management to sales as well as working closely with the new product development team. He helped design, develop and deploy the very first pTools CMS solutions in 1997 and has worked on every phase of company and product development since. Married with two children he lives in Dublin.
