• 0

Most secure web site, what are the steps?


Question

I need to get a website that will be secure. Bank secure.

All I've been doing so far is some websites on html or wordpress uploaded on a simple webhost server like godaddy or apollohosting. As for the security, I'm updating wordpress core and plugins, maybe use sitelock. But the new project will be a very important website that has to be very secure. What's the best way to do it? Should I buy a plan on a dedicated server? VPS?

I am not going to build this website, I am just looking for the best way to get it. I was told that it is not safe to employ one company to do both hosting and web development. And I know that the website, and all websites can get hacked, but I want it to be fixed as soon as possible if hacked. Are there any security companies speciallized in securing websites? Like SiteLock, but also keep backups and fix a hacked site. If I get a dedicated server from a hosting company, will they provide security, or should I get a security analyst of my own? I'm kind of lost and don't know where to start looking.

 

Let's say you want to create an online application for hospitals and all hospitals will use the online application / website. Are the following steps correct?
1. Employ developer company to create website and web applications, buy the support plan from them so they will be available 24/7

2. Get dedicated server from hosting company like godaddy, get a Fully Managed plan

3. Get SiteLock enterprise or sucuri

Are those steps enough? Or is step 3 not necessery since the server is a Fully Managed dedicated server?
Or should I get unmanaged plan and employ a third person to manage the dedicated server?

I'm lost, please help.

Link to comment
Share on other sites

17 answers to this question

Recommended Posts

  • 0

This is going to sound like a really douchebag reply, but it's not meant as such.

 

You used the term 'bank secure' and the simple answer is you employ professionals.

 

I work in IT security, with a focus on networking. The organisation  I work for stores and processes personal information about almost everybody in the UK. You can, therefore, imagine how security focussed we have to be.

 

It's difficult to give you direction without knowing more about what you're trying to do but I can tell you that my organisation couldn't seriously consider using co-located dedicated servers - at least not without knowing who has access (physical and remote), whether auditing is taking place, what procedures the third party has, etc. There are also compliance considerations such as ISO27001. The organisations we use for third party services have to accredited with ISO27001 and other standards.

 

We employ a defence-in-depth strategy, where the front-end web servers hold little or no information. They are protected by firewalls which use IPS, amongst other techniques. All access is logged and anything out of the ordinary immediately alerts administrators for analysis. The web servers are detached from application servers or databases with another layer of firewalls and other security appliances. When a solution such as this is deployed, we have a third party perform penetration tests to assist us in finding holes in our security.

 

But it doesn't end there. Security is not something you can buy off the shelf, nor design into a deployment. It is a continual process, both in terms of reviewing procedures and of technical implementation. It is important to have written policies and procedures relating to security - such as how you will manage patching and security updates and who will ensure this work is done?

 

I won't go any further except to say that you are not going to create anything that is 'bank secure' on your own - but if you do try, remember to consider the bigger picture. There is little point designing an application or website that is highly secure if someone can call up your hosting company, give them your details and have your administrator password reset.

Link to comment
Share on other sites

  • 0

I work in Network Security and we deal with hospitals, nursing homes, banks and PCI Compliance. 

 

Godaddy dedicated servers aren't PCI compliant. Amazon Web Services have PCI compliance. If you are storing user data, which is dumb, you need to be PCI compliant. You need to hire someone to do this who builds these types of applications. It takes teams, not an individual who even considers SiteLock to be an actual security resource.

Link to comment
Share on other sites

  • 0

All help is apprecieted, thanks.

Firstly, I cleared that I am NOT going to build this site, I don't have the experience to do it. I'm just looking for the first steps needed towards security. I've contacted some professionals (developers to build this website). Some proposed to build a custom wordpress site with security plugins and SSL, others proposed a drupal website, one of them proposed to build a custom cms and web application/site. I believe that those who said wordpress or drupal are not serious or secure enough. None of the developer companies I've found are security specialists, and if I google "how to get a secure website" or "online security companies" I'm not getting the right results.

 

So, first step to find a PCI compliant server hosting like Amazon Web Services.

Second step, get developer company build a site, NOT based on wordpress.

Third, get professional company that deals with security. Where can I find such companies? Are they independant from the hosting company and the developer company? Or do they use their own hosting?

 

@Kyle: Isn't everyone storing user data? Doesn't a bank have your details stored somewhere? Why is it dumb?
@Garry: I need to know about your company, you've got a PM.

Link to comment
Share on other sites

  • 0

If you think about security, remove "Wordpress" from your list.  You seem to be so intrenched in using "Wordpress" when the fact of the matter is that it is much less secure than other CMS out there.  And everyone been telling you that "Wordpress" is not secure, you still insist on using it.  If security is your serious concern, take "Wordpress" from your list.  No matter how much "security plugins" or "SSL" you employ with it, the expoit is inside the CMS engine itself.  I have not read/heard about "Drupal" exploit yet.  Maybe it's out there but I have not read about it yet.

 

When it comes to security, you should think about encryption, SSL, and HTTPS only.  Not only encrypt the storage data but also the IO data stream.  You're going to need a strong certificate.  Avoid questionable scripts such as RSS and XSS.

Link to comment
Share on other sites

  • 0

You seem to be so intrenched in using "Wordpress" when the fact of the matter is that it is much less secure than other CMS out there.  And everyone been telling you that "Wordpress" is not secure, you still insist on using it.

No, not at all. I'm not interested in wordpress at all. I'm interested in hiring a professional to build a secure website for me, and most of the professional web developers present a website based in wordpress to me. If you read, I actually hate wordpress and said that "I believe that those (the professional developers) who said (proposed to build for me) a wordpress based site, are not serious enough".

 

Also I specifically said in step 2: "Second step, get developer company build a site, NOT based on wordpress." I DON'T WANT WORDPRESS but you still say that I insist on using it, I don't get it!

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me, all I'm getting is: wordpress wordpress wordpress. I don't insist on using it, I hate it, I don't want it.

I hope it's clear now that I don't want to use wordpress.

Link to comment
Share on other sites

  • 0

No, not at all. I'm not interested in wordpress at all. I'm interested in hiring a professional to build a secure website for me, and most of the professional web developers present a website based in wordpress to me. If you read, I actually hate wordpress and said that "I believe that those (the professional developers) who said (proposed to build for me) a wordpress based site, are not serious enough".

 

Also I specifically said in step 2: "Second step, get developer company build a site, NOT based on wordpress." I DON'T WANT WORDPRESS but you still say that I insist on using it, I don't get it!

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me, all I'm getting is: wordpress wordpress wordpress. I don't insist on using it, I hate it, I don't want it.

I hope it's clear now that I don't want to use wordpress.

 

People are only saying not to use Wordpress because that's what you mentioned in your original post.

Decent web developer who can build you what you want from scratch and not insist on Wordpress is step one, decent host is step 2 with someone who specialises in devops n security and take it from there.. They'll be able to advise you.

 

Good luck

Link to comment
Share on other sites

  • 0

"Godaddy dedicated servers aren't PCI compliant" - wat... any server can be PCI compliant if you set it up properly...

 

PCI Compliance goes beyond the server configuration. There is network security as well. 

 

GoDaddy servers and networks have repeatedly failed the PCI Compliance tests. 

 

https://support.godaddy.com/help/article/4265/quick-shopping-cart-pci-compliance-faq

 

Scroll to the bottom of that FAQ. What does the bottom line say? 

 

All help is apprecieted, thanks.

Firstly, I cleared that I am NOT going to build this site, I don't have the experience to do it. I'm just looking for the first steps needed towards security. I've contacted some professionals (developers to build this website). Some proposed to build a custom wordpress site with security plugins and SSL, others proposed a drupal website, one of them proposed to build a custom cms and web application/site. I believe that those who said wordpress or drupal are not serious or secure enough. None of the developer companies I've found are security specialists, and if I google "how to get a secure website" or "online security companies" I'm not getting the right results.

 

So, first step to find a PCI compliant server hosting like Amazon Web Services.

Second step, get developer company build a site, NOT based on wordpress.

Third, get professional company that deals with security. Where can I find such companies? Are they independant from the hosting company and the developer company? Or do they use their own hosting?

 

@Kyle: Isn't everyone storing user data? Doesn't a bank have your details stored somewhere? Why is it dumb?

@Garry: I need to know about your company, you've got a PM.

Well yes and no. Most banking infrastructures don't store the data in the web servers, they reference the data stored in the data warehouses. Storing financial or medical information on web servers is just bad practice in general. People will argue "who cares, as long as we pay for HIPPA/PCI Compliance we are secure" blah blah, but you need to remember the web servers are directly available to anyone. If you don't want to host this type of website in a DMZ type location in your network, you need a host where you can (virtually) manage the firewall (with basic port-based rules) such as AWS. 

Link to comment
Share on other sites

  • 0

You don't want a web developer for this. that's where you're going wrong, and why you keep getting wordpress or drupal responses.

 

You need an application developer who will develop a secure application, hosted on AWS or Azure on one of the PCI compliant instances.

 

Then, you need a front end developer who can create a web UI for the application.

 

Probably a security audit after each step, too.

 

I wonder why you need so much security though. Unless it's for gov. compliances, most websites can be made sufficiently secure with ssl, auto-account locks, permissions, roles, and the like, where your biggest danger is going to be a hacker "spear phishing" account credentials. Something like that would be much easier to implement and probably fulfill the same requirements.

Link to comment
Share on other sites

  • 0

Well, it's not for the gov, it's a private project but it involves the legal system, all lawyers in the world (well just 10 of them in the beginning) and all their cases, evidence etc. So I'm guessing it's going to be a huge target for hackers and cyber attacks.

Link to comment
Share on other sites

  • 0

My first thoughts coming into this thread:

 

Azure - you do not need to worry about the physical and architectural / system security of the website, unless you are running a full-blown VM to host the website (in which case, the management of the VM falls into your hands). It is also compliant with a bunch of "standards" and governmental requirements.

 

This however, doesn't mean that you can slack and relax regarding the website's security itself, but at least you will not have to worry about the lower level side of things being unsecure.

Link to comment
Share on other sites

  • 0

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me

 

There are a lot of real programmers left in this world. Just because some silly services offer pre-built whatever engines and backends to less skilled developers, doesn't mean that everybody is going to use those.

 

I don't know what to tell you regarding the actual development of the website. If you're not making it yourself, it may be though to find a company with enough resources and skill and willingness to do it for you, while avoiding to use existing stuff.

Link to comment
Share on other sites

This topic is now closed to further replies.