NYCPHP Meetup

[leam at reuel.net]

On Wed, Feb 09, 2005 at 10:53:59PM -0800, Chris Shiflett wrote:
> --- leam at reuel.net wrote:
> > OScommerce requires register globals to be on, and Zen Cart requires
> > some world-writeable directories in the DocumentRoot. THe other
> > possibilites are AgoraCart, Interchange Cart, and CubeCart.
> 
> I've never looked at any of these things, but I've heard OScommerce
> mentioned a few times recently. It's not obvious to me what this software
> does by visiting their site. Is it just a content management and shopping
> cart thing, or does it have more sophisticated support for payment
> processing and such?
> 
> There seem to be all of these common problem spaces where someone needs to
> write a solution that doesn't suck. I'm wondering if this is yet another
> one.

Looks to be. I'm an SA by trade and have worked in secure/paranoid backgrounds before. My gut feeling is that the authors of this sort of thing accept that credit card systems are going to be hacked and they just hope people are too embarassed about it to reveal it.

> 
> > I'm reading Chris' security workbook
> 
> :-)
> 
> You might be interested to know that this has been renamed to the PHP
> Security Guide and is now a project of the PHP Security Consortium:
> 
> http://phpsec.org/projects/guide/
> 
> It should be enhanced and translated as time passes.
> 

Yeah, something led me to the PHPSec site and that's actually where I found it. PHPSec could probably make a bundle of money by offereing code-review and "certification" of the code; "This product has met the standards set forth by the PHP Security Consortium".

> > How do you protect yourself against liability, and more
> > importantly how do you give the customer the security they deserve?
> 
> I've been asking these same questions recently. It sounds like having a
> separate business entity protects you personally, and having a signed
> contract can protect your business. I haven't spoken with a lawyer yet, so
> take this with a grain of IANAL salt.

The Small Business Info center I'm learning from says commercial insurance carriers often have "Small business packages". It may well depend on the insurer's understanding of the computer industry, so something to research. At the moment I'm totally secure as I don't have a product to sell!  ;)

> 
> As for security, I truly think that giving a damn is the most important
> step, so you're already on the right track. :-) Learn as much as you can
> (I've tried to do my best to provide lots of free resources over the past
> few years, and many are available at http://phpsec.org/), and focus on
> filtering input and escaping output.

Is there enough filtering that can happen to over-come the problems with register_globals? I'm only about a third of the way through the work-book.

> 
> If you're security needs are very demanding, you can have someone perform
> a security audit of the code.
> 
> Hope that helps.
> 
> Chris

Yup, and thanks for posting the Security guide on-line. *I* certainly am putting it to use.

ciao!

leam