How do I secure my SaaS startup?

Alright, this answer is by no means exhaustive as this is a large question, but just off the top of my head here are some thoughts:

GIT:
That's good that you're doing the merges yourself, does that mean you're going to handle all the diffs? If you're not going to, the trust of the coder could be a POF, but if you are going to depending on the amount of merges expect to spend a lot of time doing all the diffs yourself.

Programming/Framework:
Might want to be careful disabling CSRF, whenever you do that and have flash there can be some nasty exploits. Best bet to prevent those is to make sure you have really solid session handling, and verify verify verify any time a user is accessing a resource. You can find some more info on common CSRF stuff here: CSRF FAQs. Also, watch out for this vulnerability. I don't have a ton of familiarity with CakePHP, but best rec is to make sure to sanitize, whitelist if possible, use ACLs, etc. Here is a very basic way to add a bit of additional security to your CakePHP instance.

Server Security:
I don't have a ton of experience with Capistrano, but from what I've heard it's a pretty solid tool, as long as you've grabbed a reliable fork. I would be more cognizant of vulnerabilities in the SSH handling itself, as it seems to me that is where capistrano could most likely be exploited. As for web server security, I think Amazon is one of the best choices out there.

SSL:
I would be very wary of a wildcard cert. If one of your subdomains is compromised, so will your entire network. All it takes is one certificate authority having a vulnerability and all of your customers and their data will be compromised. Since you're doing e-commerce, it's really important to have the highest levels of security for customer data.

Summary:
All in all, I would really recommend hiring a web app security professional who is credible in the field and has experience to take a look at your application. Since you will be dealing with financial data, which is one of the most sensitive types, a solid exhaustive look at your software is very important. I know it's hard when you're just starting out, but if you don't take the time to secure your app thoroughly one exploit could bring down your entire business.

Hope that helps :)


1)First and foremost master the OWASP Top 10.

2)Install a Web Application Firewall. They are requried by the payment card industry for a reason (PCI-DSS).

3)Lockdown PHP with PHPSecInfo.

5) Lockdown your database.

6)Use static code analysis like RIPS-PHP to track down serious vulnerabilities in your code.

7)Use Linux, especially Ubuntu, because AppArmor breaks exploits.

8) Last but not least, test your code web application for vulnerabilities. This doesn't have to cost a lot of money, Sitewatch has a free vulnerability scanning service.


In addition to @Rook's comments, if I were running a server on the Internet, I would strongly recommend using OSSEC. Great free log analysis/HIDS software. I run it on all my public facing kit.

Tags:

Agile

Web Application

Appsec

Related

IIS and SQLServer Hardening What is the equivalent European organization of NIST, especially in the Security Computer Division? How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove? Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)? Suitable cipher for SMS encryption How can I secure a network share from the insider threat? Detecting steganography in images Reference implementation of C# password hashing and verification Should I use AntiForgeryToken in all forms, even login and registration? What chars should I not allow in passwords? Is PBKDF2-based System.Cryptology.RFC2898DeriveBytes() "better" for Unicode Password hashing than traditional methods? Problems with avoiding JSON hijacking with MVC3's AntiForgeryToken, or similar token validation

Recent Posts