web-security methods, advice please!

[Madison Kelly]

James Knott wrote:
>> This is my own company though that I am starting on a shoe-string
>> budget. There are many things I should be contracting out, not least
>> being security, but I simply can't afford to do this at this point
>> (though I may well later if/when business picks up).
>>
>> So for now, I am hoping that my prying questions will close at least a
>> few of the holes I have certainly missed. :)
>>
> 
> One thing to bear in mind, is that you can never prove a system to be
> secure.  You can only fail to break in.  There have been many times in
> the past, when someone insisted they had a secure method.  The only
> reason they could make that claim, was they didn't know enough about
> possible failures to recognize them.  Even with widely scrutinized open
> source security methods, such as PGP etc., there is no proof that it's
> secure, only that despite all that inspection by experts, no one's yet
> found a way in, and so it's presumed to be secure at the moment.

Heh, I've learned enough humility through the years to know that I know 
just enough to get myself in healthy trouble. :) It's also why I am 
looking for feedback and advice. I know that, if my company does well 
down the road, I might have enough potential "goodies" for a cracker to 
take interest and spend some time on getting in. If someone gets root 
shell access (the db runs under a different user than the webserver), I 
figured the gig is up anyway. Given that, I want to protect from the web 
interface. So I want to lay an at least half-decent ground work now 
rather than wait until I get cracked before realizing "nows the time". :p

Madi
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists