2

I'm designing a web application. I need to make sure all my customer's SSN data is secure. Now I know HTTPS with SSL, I'm wondering what are its weaknesses? What else I need to provide a perfectly secure web interface? I'm going to host the server via Amazon EC2 or some other cloud service.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Yuming Cao
  • 121
  • 3
  • 1
    Does the web application need the SSN? If possible try using an alternate identifier, encrypt and secure your database, and rigorously test and log your application for exploits. – dr jimbob Feb 02 '12 at 20:48

1 Answers1

3

HTTPS is only one part of the puzzle - securing the link between webserver and customer's laptop - and to be honest, it is the simplest bit, as web servers and browsers pretty much do this right, however you will need to enforce SSL v3 and approved algorithms.

In addition you will need at a minimum:

  • authentication to your web application for customers (username/password, token)
  • session management
  • validation of input (see questions on SQLi and input validation)
  • protection of your database (possibly encryption)
  • controls defined for developers, admins and others who have access
  • an assessment of resilience - if your customer cannot connect to the EC2 instance, they are DoS'ed
Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • To help the mindset, think data at rest, data in storage, and data in transit. You mentioned ssl (data in transit). Rory added encryption (et al.) which can help with all three. – Jeff Feb 03 '12 at 18:58