Re: Building secure software for business

Quote from: Ichthyo on January 25, 2013, 06:13:20 PM

Especially for security, when we're entering a realm of "serious business", the key point is not to build counter measures against every conceivable thread, but rather to be able to prove that you've done your due diligence regarding security. For a business, its important to be able to offload the liability for some aspects of security to other persons and institutions.

To create a somewhat stylized and hypothetical example:
An entrepreneur hires two developers to build (or rebuild) a site. But he tells them right away, that security is a concern, and thus

that he will conduct regular code reviews with them, where they have to explain security-relevant topics and decisions to him.
that there will be an external security audit prior to launch, and that they will be doing excess hours to fix any serious uncovered issues

So now its in the developers own interest to come up with clever and creative solutions to get a grip onto security. This, and the fact that they will regularly be forced to explain what they've done to an outsider will create a push in the direction of a more structured, architecture centric approach. Building this way will slow them down considerably for sure, so that is the price to pay. But in the end, both sides will benefit. The developers are relieved from those mind bogging discussions about the right level of carefulness and trickery, since there is a clear externally set goal to work against. Also, they've gotten a good argument to defeat pressure to move faster. And the entrepreneur, by conducting and moderating the code reviews, got a more thorough understanding of the technology and system to be built plus an external audit and testate, which is a building block for legal defence in case a real security breach happens later on.

While such an approach has proven his virtue in practice, unfortunately it's not a guaranteed recipe for success. It still pretty much depends on the personality of the people involved. Team up the "right" people in such a scheme, and it becomes a recipe for disaster Grin

THAT is the truth right there .. take note.

Quote from: schalk on January 25, 2013, 06:25:47 AM

I disagree, security should not be your #1 concern when choosing a language.

Um, this is going to be a Bitcoin business. Personally, I think security should #1 AND #2. In the end, who gives a damn how many times your server crashes in a day, if ALL your Bitcoins magically disappear. I would strongly advise that you separate your web server from your bitcoin server as was suggested earlier. And at the very least put some IDS software on so you know what the hell is happening at all times:

OSSEC is FREE and well supported http://www.ossec.net/
Snorby is pretty f---in' awesome, but its RoR and I (don't know why, but) just don't like RoR https://snorby.org/

I have extensive experience working with both ASP.NET and PHP and if startup/operational costs matter at all to you, I'd say choose anything BUT ASP.NET. Relatively speaking (and I acknowledge there is obviously some value from Redmond) they are just WAY, WAY too expensive (licensing every which way you turn -- till you get dizzy and collapse). Unfortunately, many young startups find this out too late.

Just my 2 bitcents
S.