How do I secure my SaaS startup?

How do I secure my SaaS startup?

• I came across http://security.stackexchange.com/questions/216/startup-security I like to offer my startup also for security advice. Objective: building a SaaS web application that allows businesses to quickly open up online stores akin to Yahoo! Stores. Programming: Done mostly by me. Sometimes I hire freelancers to help me with stuff I do not know. I use CakePHP framework for my web application. Hosting: Using Amazon EC2 and other Amazon Web Services like Elastic Load Balancing. Systems Administration: I am running Ubuntu server 10.04 I know this is still a high level question. Let me break this up into several subareas. Programming, collaboration with freelancers I am using git and a remote git repo on ProjectLocker. I am not an expert in git. All I know is git add, git commit -a, git push, git merge, git checkout , git pull. When freelancers do work for me, I always tell them to commit their work in a separate branch and I will do a merge myself into the main branch. Not sure if there is any security loophole there. Please let me know. Programming, the code itself Well, you guys cannot see the code, but I am using CakePHP framework. I think I did everything correctly except that I had to disable the CSRF protection at times to allow certain flash plugins to work. Not too sure what I should do about it. Not sure if there is any security loophole there. Please let me know. Deployment I use capistrano to do the deployment for me. Basically I think the capistrano ssh'd into the server and from there gives it an instruction to do a git fetch from the remote repository. I basically copied and pasted the capistrano deploy script from somewhere and modified it. Not sure if there is any security loophole there. Please let me know. Web Application for users Just bought and installed SSL certs. I had to use a wildcard certificate for my users individual subdomains and a standard SSL cert for the signup page. Did not buy an extended validation SSL cert. Didn't think I need it. Not sure if there is any security loophole there. Please let me know. Systems admin, collaboration, hosting: I do not have a protocol on how to update my server with security updates since I am not LIVE yet. I would appreciate something simple that a Ubuntu novice can use. Amazon Web Services, Systems admin, collaboration: I hired a sys admin freelancer to help me install SSL certs because a) I am not familiar with Linux, b) I am not familiar with Amazon Web Services If in future, I hired someone to help me troubleshoot either Ubuntu or my Amazon Web Services, how do I do it without putting my SaaS at risk? I saw this for http://aws.amazon.com/iam/ Not sure how to use it. Can someone give me a good protocol to allow hired freelancers to solve my system admin issues in a safe manner? Other areas I have NOT thought of Please let me know.

• Answer:

  Alright, this answer is by no means exhaustive as this is a large question, but just off the top of my head here are some thoughts: GIT: That's good that you're doing the merges yourself, does that mean you're going to handle all the diffs? If you're not going to, the trust of the coder could be a POF, but if you are going to depending on the amount of merges expect to spend a lot of time doing all the diffs yourself. Programming/Framework: Might want to be careful disabling CSRF, whenever you do that and have flash there can be some nasty exploits. Best bet to prevent those is to make sure you have really solid session handling, and verify verify verify any time a user is accessing a resource. You can find some more info on common CSRF stuff here: http://www.cgisecurity.com/csrf-faq.html. Also, watch out for http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html. I don't have a ton of familiarity with CakePHP, but best rec is to make sure to sanitize, whitelist if possible, use ACLs, etc. http://www.sanisoft.com/blog/2010/07/05/adding-security-to-your-cakephp-application-part-1/ is a very basic way to add a bit of additional security to your CakePHP instance. Server Security: I don't have a ton of experience with Capistrano, but from what I've heard it's a pretty solid tool, as long as you've grabbed a reliable fork. I would be more cognizant of vulnerabilities in the SSH handling itself, as it seems to me that is where capistrano could most likely be exploited. As for web server security, I think Amazon is one of the best choices out there. SSL: I would be very wary of a wildcard cert. If one of your subdomains is compromised, so will your entire network. All it takes is one certificate authority having a vulnerability and all of your customers and their data will be compromised. Since you're doing e-commerce, it's really important to have the highest levels of security for customer data. Summary: All in all, I would really recommend hiring a web app security professional who is credible in the field and has experience to take a look at your application. Since you will be dealing with financial data, which is one of the most sensitive types, a solid exhaustive look at your software is very important. I know it's hard when you're just starting out, but if you don't take the time to secure your app thoroughly one exploit could bring down your entire business. Hope that helps :)