A secure search engine in ColdFusion

January 14, 2008 at 11:27 pm 1 comment


Well, it’s official! We’ve got a hacker safe site… (for now anyway)

I’ve always been pretty careful in regards to security when it comes to programming, web server setup etc.

We’ve had our site checked by members of CFAUSSIE before we launched it. There were two issues that came up. One was reported by Steve Bentley who really did an awesome job in discovering the hole.

We’re not scared to put our site out there and let people try and break it, I believe it’s the only way to go if you want to run a successful and high traffic Australian Search Engine. It’s better to discover the security holes before launch and fix them, than discover them after launch and get a bad name.

OK, even though we had the site checked by members of the ColdFusion community, I still did not feel a 100% safe about it all. So, we’ve become a member of www.scanalert.com and had our site and server scanned for thousands of vulnerabilities. It’s not cheap becoming a member of ScanAlert, but I reckon it is well worth the money if you want to be notified about potential security holes (if any) before anyone else discovers them.

Everything went as planned, even our own methods of securing the site and reporting worked, the scan was requesting a high number of pages within a time frame that can only be automated. This gets detected by our application, we get notified, the IP gets logged and also banned from accessing further content. We’re planning to eventually integrate this with the web server so it puts the IP in the access denied list.

The scan report from ScanAlert is pretty comprehensive, if they find something they’ll also help with explaining and fixing the hole. It so happens we had a couple of low alerts. The alerts range from Low to Urgent and in between is Medium, High and Critical. The low alerts were things like allowing ICMP request, which we have to; because we also have the site monitored externally, if and when it goes down we like to be notified! 😉

Another alert had something to do with cookies not being set over a secure channel. I will have to read up a bit more about that one. Not sure how that would work since we can’t put SSL over the whole site.

 I’ll report more about this when information becomes available.

Advertisements

Entry filed under: Other. Tags: , , .

TrustWatch – doesn’t look so trustworthy! Press Release

1 Comment Add your own

  • 1. greg  |  January 29, 2009 at 10:12 pm

    Gentlemen,
    I was listening to Coast to Coast here in the US, last night and heard Katherine Albrecht of CASPIAN (Consumers Against Supermarket Privacy Invasion ) talking about a Australian non-following search engine.
    I think it starts with an I, Can you send me an answer with the name?
    Grefg

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 19 other followers

Archives

Top Rated

Blog Stats

  • 167,579 hits

%d bloggers like this: