We are somewhat hesitant to talk about security since we do not want to invite unwanted attention. However, with regular reports of security issues popping up (for example here and here), and now the report of the JP Morgan Chase race security breach, we figured it might be useful to give guidance to our industry of common practices that can help secure systems.
We are not giving specifics of what and how we do things (you can contact us and arrange a call to discuss details), but these are the sorts of things that should be done to make a site more secure:
- Do NOT store credit cards on the registration server
- Utilize a highly robust and secure cloud infrastructure like the leader, Amazon AWS
- Multi-level firewalls between multiple virtual private clouds and subnets for each layer of the server architecture. For example your load balancers accepting traffic from the public internet should be the only publicly available addresses. The firewalls and VPC should be configured to allow only the known IP addresses from each tier and only the needed application type.
- Have secure password storage like bcrypt.
- Applications should sanitize user input and use SQL prepared statement to prevent XXS attacks and SQL injection. This is especially important and there should be a code review process to make sure all code added is done in this manner since this is typically the way that security breaches like the one mentioned in the JP Morgan Chase article likely happened to be able to get access to all user accounts and passwords.
- Entire website should be using https – and http requests should be automatically redirected to https.
Things like PCI compliance are typically highlighted in registration websites, and this is a baseline requirement for doing secure credit card processing. However, the list above is actually more important to implement.