Saturday, December 1, 2012

Project - Enhancement on website to provide online application and facebook integration

On this story, we are going to enhance our current company website to support online application.  Within the application, we will correct client's personal information together with their Facebook authentication for further user information collection.

Requirements:
  1. Online application in a secured channel.
  2. Uploaded application and attached document needs to be secured.
  3. Collect Facebook authentication token.
  4. Access to submitted application from our internal staff in secure way.
What we are having now:
  1. The current website was design and created by a website design house.  Mainly static contents.
  2. We have an internal system which stores all client's sensitive information.
  3. We have register company domain and website is hosting on a shared hosting plan.  i.e. Many other outside domains are hosted together, sharing resources and IP.  This was fine at the moment since we only serves static information on our website.
  4. Website contents is managed by Modx.
  5. Design house will be responsible for creating new application form on our website.
  6. We will setup the environment for new website deployment and make sure the security of application data.
Considerations:
  1. Since our online application need to be secured, we needs https on application pages.
  2. Internal system should be separated from website for security concerns.
  3. Application data will be stored on hosting server database and file system.
  4. The application data on website should only be a temporary storage.  Once it's retrieved from our staff, it should be cleanup from website database.
  5. Application data should not be accessible by Design house personnel.  We should only provide minimal access for their deployment.  Once done, we should restrict their access.
  6. Access to application data on website should be granted only to IPs from office and internal system servers.
Things to do:
  1. Move web hosting to VPS so as to get a dedicated IP and server resource.
  2. Setup VPS and grant required access to design house for their deployment.
  3. Create access point on getting the Facebook authentication token and applications into our internal system.
Story daily:

  1. The original communication between us and design house was handle by another colleague who didn't say anything about online application security concerns.  No HTTPS was plan in the implementation.
  2. Raise security concern to product director.
  3. Agreed on we should make all application form secured.  Using HTTPS and SSL connections.
  4. Secure points: submission of form; Storage of application data on web server;  Secure retrieval of data from web server to our internal system.
  5. Coordinate with design house to make sure we are on the same picture and they know what they're going to do.
  6. Coordinate with developer on the way to get access Facebook token that will be stored on web site database.
  7. Apply VPS hosting plan.  Pay the bill, get access to VPS.
  8. Setup VPS for Modx deploy.
  9. ....
Posted by leoo.lai at
Labels: ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)