Announcement

Collapse
No announcement yet.

The Information between the application and data base. Is Safe?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Information between the application and data base. Is Safe?

    Hi, I've a question about this software, if it works encrypted or I have to install a certificate (SSL).
    In case that a sniffer sees my information.
    Is Scriptcase secure?

  • #2
    Yep, if you use https there should be no problem. Scriptcase if deployed is nothing more then a database with php and a webserver so it is just like any other webserver.
    You should always be aware for network sniffers but that goes for all traffic.
    Under https the parameters for http post and http get are always encrypted with ssl so that should work fine.

    Comment


    • #3
      I would recommend you to use an OWASP analyzer... you should always deploy your applications after you are completely sure that the top 10 OWASP vulnerabilities are covered.

      Regards

      Comment


      • #4
        Kroto,

        Yes, you need to be very aware in a situation like you are describing in your title.

        Webserver to Database Security Concerns
        Communications between the webserver app (Apache) and the database, if they are on different machines, are vulnerable.
        In our case, our Apache servers and our SQL servers have a dedicated non-public connection, the SQL servers are not exposed to the internet at all.
        As an alternative, if both servers are exposed, you can easily set up an SSH tunnel between the two servers. Google "SSH Tunneling" for a more in depth discussion.

        Browser to Webserver Security Concerns
        You should always use https rather than http if you have a website where users log in.
        Using the ScriptCase Security Module without https means that your password is sent in the clear over the internet from your browser to the web site.
        You can configure Apache to automatically force a change from http to https. Google "HTTP Strict Transport Security" for more information about this.

        Test your Website for Vulnerabilities
        And finally, as Kafecadm mentioned above, you should always test your SSL enabled site for vulnerabilities using a test suite. We use SSL Labs free service.
        You can see an example of the results of testing an improperly configured SSL website here: test ScriptCase.net
        A properly configured SSL on a ScriptCase developed website returns results like this: test sahod.ph

        So in summary, enabling SSL properly is much more than installing a certificate.

        Hope this helps,


        Dave
        Last edited by daveprue; 03-18-2015, 10:02 PM.
        Dave Prue
        Code Whisperer
        Lahar International Corp
        www.lahar.net

        Comment


        • #5
          Thank for you help.
          I refer about if i will have in my application that to install a certificate or with the scriptcase I can?
          However, I will release everything that you give me. However, I will make everything that you describe me.

          Kind Regards

          Francisco

          Comment


          • #6
            A certificate is needed for the webserver. Well is isnt needed if you run without a certificate but any decent website uses https and a certificate nowadays.
            On that webserver you can run whatever scriptcase deployment you have.
            For testing you can get a free certificate from https://www.startssl.com/ (1 year valid) or from https://www.comodo.com/e-commerce/ss...ertificate.php (90 days valid)
            or other sites (rapidssl.com and so on).

            Comment

            Working...
            X