• 0

Most secure web site, what are the steps?

Asked by JimmyT,

 Share

Question

Mentor

JimmyT

Posted
Posted

I need to get a website that will be secure. Bank secure.

All I've been doing so far is some websites on html or wordpress uploaded on a simple webhost server like godaddy or apollohosting. As for the security, I'm updating wordpress core and plugins, maybe use sitelock. But the new project will be a very important website that has to be very secure. What's the best way to do it? Should I buy a plan on a dedicated server? VPS?

I am not going to build this website, I am just looking for the best way to get it. I was told that it is not safe to employ one company to do both hosting and web development. And I know that the website, and all websites can get hacked, but I want it to be fixed as soon as possible if hacked. Are there any security companies speciallized in securing websites? Like SiteLock, but also keep backups and fix a hacked site. If I get a dedicated server from a hosting company, will they provide security, or should I get a security analyst of my own? I'm kind of lost and don't know where to start looking.

 

Let's say you want to create an online application for hospitals and all hospitals will use the online application / website. Are the following steps correct?
1. Employ developer company to create website and web applications, buy the support plan from them so they will be available 24/7

2. Get dedicated server from hosting company like godaddy, get a Fully Managed plan

3. Get SiteLock enterprise or sucuri

Are those steps enough? Or is step 3 not necessery since the server is a Fully Managed dedicated server?
Or should I get unmanaged plan and employ a third person to manage the dedicated server?

I'm lost, please help.

17 answers to this question

Recommended Posts

  • 0
Grand Master

Garry

Posted
Posted

This is going to sound like a really douchebag reply, but it's not meant as such.

 

You used the term 'bank secure' and the simple answer is you employ professionals.

 

I work in IT security, with a focus on networking. The organisation  I work for stores and processes personal information about almost everybody in the UK. You can, therefore, imagine how security focussed we have to be.

 

It's difficult to give you direction without knowing more about what you're trying to do but I can tell you that my organisation couldn't seriously consider using co-located dedicated servers - at least not without knowing who has access (physical and remote), whether auditing is taking place, what procedures the third party has, etc. There are also compliance considerations such as ISO27001. The organisations we use for third party services have to accredited with ISO27001 and other standards.

 

We employ a defence-in-depth strategy, where the front-end web servers hold little or no information. They are protected by firewalls which use IPS, amongst other techniques. All access is logged and anything out of the ordinary immediately alerts administrators for analysis. The web servers are detached from application servers or databases with another layer of firewalls and other security appliances. When a solution such as this is deployed, we have a third party perform penetration tests to assist us in finding holes in our security.

 

But it doesn't end there. Security is not something you can buy off the shelf, nor design into a deployment. It is a continual process, both in terms of reviewing procedures and of technical implementation. It is important to have written policies and procedures relating to security - such as how you will manage patching and security updates and who will ensure this work is done?

 

I won't go any further except to say that you are not going to create anything that is 'bank secure' on your own - but if you do try, remember to consider the bigger picture. There is little point designing an application or website that is highly secure if someone can call up your hosting company, give them your details and have your administrator password reset.

  • 0
Mentor

+Kyle Subscriber¹

Posted
  • Subscriber¹
Posted

I work in Network Security and we deal with hospitals, nursing homes, banks and PCI Compliance. 

 

Godaddy dedicated servers aren't PCI compliant. Amazon Web Services have PCI compliance. If you are storing user data, which is dumb, you need to be PCI compliant. You need to hire someone to do this who builds these types of applications. It takes teams, not an individual who even considers SiteLock to be an actual security resource.

  • 0
Mentor

JimmyT

Posted
  • Author
Posted

All help is apprecieted, thanks.

Firstly, I cleared that I am NOT going to build this site, I don't have the experience to do it. I'm just looking for the first steps needed towards security. I've contacted some professionals (developers to build this website). Some proposed to build a custom wordpress site with security plugins and SSL, others proposed a drupal website, one of them proposed to build a custom cms and web application/site. I believe that those who said wordpress or drupal are not serious or secure enough. None of the developer companies I've found are security specialists, and if I google "how to get a secure website" or "online security companies" I'm not getting the right results.

 

So, first step to find a PCI compliant server hosting like Amazon Web Services.

Second step, get developer company build a site, NOT based on wordpress.

Third, get professional company that deals with security. Where can I find such companies? Are they independant from the hosting company and the developer company? Or do they use their own hosting?

 

@Kyle: Isn't everyone storing user data? Doesn't a bank have your details stored somewhere? Why is it dumb?
@Garry: I need to know about your company, you've got a PM.

  • 0
Grand Master

Krome

Posted
Posted

If you think about security, remove "Wordpress" from your list.  You seem to be so intrenched in using "Wordpress" when the fact of the matter is that it is much less secure than other CMS out there.  And everyone been telling you that "Wordpress" is not secure, you still insist on using it.  If security is your serious concern, take "Wordpress" from your list.  No matter how much "security plugins" or "SSL" you employ with it, the expoit is inside the CMS engine itself.  I have not read/heard about "Drupal" exploit yet.  Maybe it's out there but I have not read about it yet.

 

When it comes to security, you should think about encryption, SSL, and HTTPS only.  Not only encrypt the storage data but also the IO data stream.  You're going to need a strong certificate.  Avoid questionable scripts such as RSS and XSS.

  • 0
Mentor

JimmyT

Posted
  • Author
Posted

You seem to be so intrenched in using "Wordpress" when the fact of the matter is that it is much less secure than other CMS out there.  And everyone been telling you that "Wordpress" is not secure, you still insist on using it.

No, not at all. I'm not interested in wordpress at all. I'm interested in hiring a professional to build a secure website for me, and most of the professional web developers present a website based in wordpress to me. If you read, I actually hate wordpress and said that "I believe that those (the professional developers) who said (proposed to build for me) a wordpress based site, are not serious enough".

 

Also I specifically said in step 2: "Second step, get developer company build a site, NOT based on wordpress." I DON'T WANT WORDPRESS but you still say that I insist on using it, I don't get it!

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me, all I'm getting is: wordpress wordpress wordpress. I don't insist on using it, I hate it, I don't want it.

I hope it's clear now that I don't want to use wordpress.

  • 0
Experienced

ashpowell

Posted
Posted

No, not at all. I'm not interested in wordpress at all. I'm interested in hiring a professional to build a secure website for me, and most of the professional web developers present a website based in wordpress to me. If you read, I actually hate wordpress and said that "I believe that those (the professional developers) who said (proposed to build for me) a wordpress based site, are not serious enough".

 

Also I specifically said in step 2: "Second step, get developer company build a site, NOT based on wordpress." I DON'T WANT WORDPRESS but you still say that I insist on using it, I don't get it!

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me, all I'm getting is: wordpress wordpress wordpress. I don't insist on using it, I hate it, I don't want it.

I hope it's clear now that I don't want to use wordpress.

 

People are only saying not to use Wordpress because that's what you mentioned in your original post.

Decent web developer who can build you what you want from scratch and not insist on Wordpress is step one, decent host is step 2 with someone who specialises in devops n security and take it from there.. They'll be able to advise you.

 

Good luck

  • 0
Mentor

+Kyle Subscriber¹

Posted
  • Subscriber¹
Posted

"Godaddy dedicated servers aren't PCI compliant" - wat... any server can be PCI compliant if you set it up properly...

 

PCI Compliance goes beyond the server configuration. There is network security as well. 

 

GoDaddy servers and networks have repeatedly failed the PCI Compliance tests. 

 

https://support.godaddy.com/help/article/4265/quick-shopping-cart-pci-compliance-faq

 

Scroll to the bottom of that FAQ. What does the bottom line say? 

 

All help is apprecieted, thanks.

Firstly, I cleared that I am NOT going to build this site, I don't have the experience to do it. I'm just looking for the first steps needed towards security. I've contacted some professionals (developers to build this website). Some proposed to build a custom wordpress site with security plugins and SSL, others proposed a drupal website, one of them proposed to build a custom cms and web application/site. I believe that those who said wordpress or drupal are not serious or secure enough. None of the developer companies I've found are security specialists, and if I google "how to get a secure website" or "online security companies" I'm not getting the right results.

 

So, first step to find a PCI compliant server hosting like Amazon Web Services.

Second step, get developer company build a site, NOT based on wordpress.

Third, get professional company that deals with security. Where can I find such companies? Are they independant from the hosting company and the developer company? Or do they use their own hosting?

 

@Kyle: Isn't everyone storing user data? Doesn't a bank have your details stored somewhere? Why is it dumb?

@Garry: I need to know about your company, you've got a PM.

Well yes and no. Most banking infrastructures don't store the data in the web servers, they reference the data stored in the data warehouses. Storing financial or medical information on web servers is just bad practice in general. People will argue "who cares, as long as we pay for HIPPA/PCI Compliance we are secure" blah blah, but you need to remember the web servers are directly available to anyone. If you don't want to host this type of website in a DMZ type location in your network, you need a host where you can (virtually) manage the firewall (with basic port-based rules) such as AWS. 

  • 0
Veteran

greenwizard88

Posted
Posted

You don't want a web developer for this. that's where you're going wrong, and why you keep getting wordpress or drupal responses.

 

You need an application developer who will develop a secure application, hosted on AWS or Azure on one of the PCI compliant instances.

 

Then, you need a front end developer who can create a web UI for the application.

 

Probably a security audit after each step, too.

 

I wonder why you need so much security though. Unless it's for gov. compliances, most websites can be made sufficiently secure with ssl, auto-account locks, permissions, roles, and the like, where your biggest danger is going to be a hacker "spear phishing" account credentials. Something like that would be much easier to implement and probably fulfill the same requirements.

  • 0
Mentor

JimmyT

Posted
  • Author
Posted

Well, it's not for the gov, it's a private project but it involves the legal system, all lawyers in the world (well just 10 of them in the beginning) and all their cases, evidence etc. So I'm guessing it's going to be a huge target for hackers and cyber attacks.

  • 0

Guest

Posted
Posted

My first thoughts coming into this thread:

 

Azure - you do not need to worry about the physical and architectural / system security of the website, unless you are running a full-blown VM to host the website (in which case, the management of the VM falls into your hands). It is also compliant with a bunch of "standards" and governmental requirements.

 

This however, doesn't mean that you can slack and relax regarding the website's security itself, but at least you will not have to worry about the lower level side of things being unsecure.

  • 0

Guest

Posted
Posted

 

It seems to me that there are no real programmers left in this world, and every time I'm looking for a web developer company to build a website for me

 

There are a lot of real programmers left in this world. Just because some silly services offer pre-built whatever engines and backends to less skilled developers, doesn't mean that everybody is going to use those.

 

I don't know what to tell you regarding the actual development of the website. If you're not making it yourself, it may be though to find a company with enough resources and skill and willingness to do it for you, while avoiding to use existing stuff.

This topic is now closed to further replies.
 Share
Go to question listing

  • Posts

    • FastStone Image Viewer 8.5

      By Copernic · Posted

      FastStone Image Viewer 8.5 by Razvan Serea FastStone Image Viewer is a fast, stable, user-friendly image browser, converter and editor. It has a nice array of features that include image viewing, management, comparison, red-eye removal, emailing, resizing, cropping, retouching and color adjustments. Its innovative but intuitive full-screen mode provides quick access to EXIF information, thumbnail browser and major functionalities via hidden toolbars that pop up when your mouse touches the four edges of the screen. Other features include a high quality magnifier and a musical slideshow with 150+ transitional effects, as well as lossless JPEG transitions, drop shadow effects, image annotation, scanner support, histogram and much more. It supports all major graphic formats (BMP, JPEG, JPEG 2000, animated GIF, PNG, PCX, PSD, EPS, TIFF, WMF, ICO and TGA) and popular digital camera RAW formats (CRW, CR2, NEF, PEF, RAF, MRW, ORF, SRF, ARW, SR2, RW2 and DNG). FastStone Image Viewer features: Image browser and viewer with a familiar Windows Explorer-like user interface Support for many popular image formats and PDF viewing True Full Screen viewer with convenient image zoom support and unique fly-out menu panels Crystal-clear and customizable one-click image magnifier Powerful image editing tools: Resize/resample, rotate/flip, crop, sharpen/blur, adjust lighting/colors/curves/levels etc. Eleven re-sampling algorithms to choose from when resizing images Image color effects: gray scale, sepia, negative, Red/Green/Blue adjustment Image special effects: drop shadow, framing, bump map, sketch, oil painting, lens Draw texts, lines, highlights, rectangles, ovals and callout objects on images Clone Stamp and Healing Brush Superior red-eye effect removal/reduction with completely natural looking end result Multi-level Undo/Redo capability Single click to switch between best fit and actual size mode Image management, including file tagging, rating and drag-and-drop to copy/move/re-arrange files Histogram display with color counter feature Compare images side-by-side (up to 4 at a time) to easily cull those forgettable shots Image EXIF metadata support (plus comment editing for JPEGs) Configurable batch processing to convert/rename large or small collections of images Slideshow with 150+ transition effects and music support (MP3, WMA, WAV...) Create efficient image attachments for emailing to family and friends Print images with full page-layout control Create fully configurable contact sheets Create memorable artistic image montages from your family photos for personalized desktop wallpapers (Wallpaper Anywhere) Acquire images from scanners. Support batch scanning to PDF, TIFF, JPEG and PNG Versatile screen capture capability Powerful Save As interface to compare image quality and control generated file size Run favorite external editors with one keystroke from within Image Viewer Offer portable version of the program which can be run from a removable storage device Configurable mouse wheel support Support themes (bright, gray and dark) Support dual-monitor configurations Support touch interface (tap, swipe, pinch) Support dual instances Play video and audio files (Third party codecs may be required for old versions of Windows) And much more... FastStone Image Viewer 8.5 changelog: Added support for SVG format Added Start importing automatically and Handle duplicate file names automatically options to the Import Photos and Videos tool WebP files can now be rotated and saved with a single click Enhanced dark theme support in the PDF viewer Fixed a bug where some links in PDF files were not clickable Other improvements and bug fixes Download: FastStone Image Viewer 8.5 | Portable | ~15.0 MB (Freeware) View: FastStone Image Viewer Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • AMD confirms 26.6.2 FSR driver breaks on many Windows PCs

      By noobient · Posted

      Yup, broke my comp… again. its times like this when I regret AMD. This just never happens on NV.
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By matthiew · Posted

      Huh? You're delusional calling the Steam Deck dead. It is so successful that it has sold out multiple times. Even after the price hike this year it sold out again with 24 hours of being back in stock. The demand is real and has not died down even after four years.
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By branfont · Posted

      Same place "Unreal III" is, in everyone's thoughts!
    • Microsoft is building an AI datacenter that "uses less water than a fast food restaurant"

      By matthiew · Posted

      So how much water is used in that "initial charge" and how often will it need to be recharged?

  • Recent Achievements

    • Rookie
      DaviKar went up a rank
      Rookie
    • Dedicated
      HidekoYamamoto94 earned a badge
      Dedicated
    • One Month Later
      timbobit earned a badge
      One Month Later
    • One Month Later
      nates earned a badge
      One Month Later
    • Week One Done
      Almohandis earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      460
    2. 2
      +Edouard
      160
    3. 3
      PsYcHoKiLLa
      110
    4. 4
      Michael Scrip
      86
    5. 5
      Steven P.
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!