A small company without any IT skills wants to run a web application where customers can enter various bits of data and upload pdfs.
The documents regard product specifications and have to be kept secure.
They have one external IT guy who wants to sell them a PHP application for the task. He wants to store the documents directly on the webserver, and sync them with Google Drive, which they use for their internal documents.
-
Is it ok to store the documents on the server, or does this create a potential security problem?
I have the feeling that they should not keep the files on the server after uploading, and that they should get them away from the webserver and into a more protected domain right after the upload has taken place? -
Is it okay to sync these sensitive files with a Google apps for business account? The Google credentials must be known to the webapplication. Does this pose another security risk?
-
Would you advise against the use of PHP in this scenario?
-
Is there a better solution to this?
Thanks a lot! 🙂
First off, you shouldn’t be thinking of security in terms of a binary ‘ok’ or ‘not ok’. Every choice you make has security implications that you want to understand.
Regarding keeping the files on the web server’s machine, that’s not typically a problem for most commercial applications. You just need to make sure they aren’t accessible via the web server. Storing them outside the the web server’s document directories is a typical strategy. And of course, don’t neglect security on the server itself.
Putting the files into a Google Drive folder should be fine. Another option is to periodically rsync down to the local network. But it really depends on what the company needs. Another option is to provide the company a web based system by which the files are accessed, and do away with the file replication all together.
PHP is fine. Rarely is the language choice a major factor. You are far, far more likely to encounter security issues in the application code itself. Just keep PHP up to date. But that same is true for every server-side language.
4
There are a number of potential problems here. Theres not enough detail on the technical solution to say for sure but it seems an unsophistocated approach.
Instead of critising the technology selection though, we should establish the security criteria needed for the application and ask how the solution achieves each point.
eg.
-
Should the documents be stored encrypted and if so what level of encryption is needed?
-
Who should be allowed to access the documents and how is unauthorised access prevented?
-
How long should the documents be stored and how do we ensure they are correctly disposed of.
In the case of a php website saving the docs to a folder and syncing with google you would seem to fall down on all if these questions.
The document is not encrypted. If the server is compromised the attacker will be able to read the documents.
Syncing to google drive would surely need some extra complexity to set the authorisation settings per document. Also how are the google drive credentials kept secure? If I get the upload code can I also download all the documents.
Finally, the request/response nature of a website doesnt lend its self to the scheduled task nature of deleting old documents.
Be warey of ‘But we dont need to..’ style answers.
— edit
GrandmasterB’s answer had prompted me to expand on my views about storing the files on the webserver.
My view is that this is very bad practice in general and can lead to a number of security issues.
1: clearing out the directory.
If you never really use the directory itself, instead syncing the google drive or whatever; then the webserver directory can be forgotten as just a technical step om the process of getting the file to your pc. You end up with a directory of forgotten files hanging around on the internet somewhere.
2 : backups
If you backup your webserver its likely that you are also backing up your directory of files. Again this leads to a forgotten copy or copies of the data floating around
3 : web farms and third parties
the common way of running websites these days is to have more than one server up at a time. even if its just a hot swap box you now have TWO directories of files to manage and sync. want to spin up more boxes to cope with load? Change provider? Upgrade? Each one means more places your customers data is stored
Additionally, who hosts their own websites these days? Your website is likely to be ‘in the cloud’ or with a third party. Although this will have its own security concerns you dont want to link ‘security my website code needs’ with ‘security my customers data needs’ if you can help it.
In summary my view is that you are more likely to lose track of your data and have an internal ‘omg we had to do a securiry review for a customer and they are mad that we have 10 copies of their secret doc’ unless you have a single document repository of some kind, seperate from other concerns
6
Thank you for all the provided feedback!
I will give them the following advice:
Make sure that the programmer follows the OWASP secure coding guidelines.
Make sure passwords are stored encrypted in the database.
Do not save the documents on the webserver. Sync them at once to Google or Spideroak if they need to be encryped. If the sync fails, the whole transaction fails.
Have a webapplication Firewall in front of the webapp.
Pay for a professional scurity audit and penetration test.
Anything more? 🙂