Re: Web Hosting / and Site Security Question
From: Steve (securityfocus_at_delahunty.com)
To: "Mailing Lists" <email@example.com>, <firstname.lastname@example.org> Date: Tue, 12 Oct 2004 11:48:04 -0400
It can't hurt to use SSL as you suggest.
I would recommend checking out firms like Digex, AboveNet, and ServerVault
for secure managed hosting. Maybe even consider RackSpace. But expect to
pay much more than lower end providers. Check out TruSecure certified
firms, such as ServerVault.
----- Original Message -----
From: "Mailing Lists" <email@example.com>
Sent: Friday, October 08, 2004 2:35 PM
Subject: Web Hosting / and Site Security Question
I am doing work for a small / mid sized company that is going to begin
using their website more actively. I have a few questions regarding
security and hosting issues.
First off we are going to use a third party to host an application
that will collect information from clients and customers. On our site
we will provide a link that will take customers and clients to that
secured site. We have done thorough Vendor Management and we are
confident that this company is secure and reliable. My question is
does it make sense / is it necessary to incorporate SSL onto our web
page. Specifically I am concerned with the page that contains the
link to the third party website. My thought is that the page that
contains the link to the third party application would be digitally
signed and secured so that users are assured that the link provided is
the intended link. Does this actually add security? Is this going to
provide any real protection against phishing scams and the like? What
are the Pro's and Con's? Are there any better solutions,
methodologies for adding security in this circumstance?
Secondly, this company has been using a mom and pop shop for web and
email hosting since its inception. Now that the web page is going to
be used more actively for promotional use and the company is growing
in size I believe there is a need to start being more security minded
about the hosting of the site.(i.e. potential for defacement, et al)
I would like to find a company that can host the website and email
that does annual security assessments and penetration testing, and can
provides us with SAS70 Type II or similar documentation. Any
recommendations about companies that you have used or worked with
would be greatly appreciated.
Thanks in advance for your responses!