Hi there people, Im writting a programm that has client-server, DB, threads and things like that, the client has asked about how secure is our system...


The point is that I dont really know about this, then I ask if there is a reference of books or a book that I can apply to test my system, from standalone things to internet things.

To be able to say something like is vulnerable to this and this if this other thing happend and show the tests.

You are much better off having a security expert analyze your source code.

Koziol J., et al -
'Shellcoder's Handbook: Discovering and Exploiting Secuity Holes' April 2004

In fact at the end it is supposed to pass a security expert in the side of the "client/customer" or any like is called, but I need before hand to say "yes it is secure under this enviroment", for do test under that enviroment and then let the expert flow away.

That is, I can not wait until I meet the finall proof of the security of my system, also Im somewhat in early developvement, then I can take some considerations now and not later when all is near to done.

I have been searching amazon, but there are a lot of books there. Thanks for the sugestion.

All the more reason for maybe hiring a security expert so he can outline the criteria that would constitute a "secure" application.
Especially if you don't know where to start.

I would approach it from the other angle,i.e find out how people exploit the type of application that you are trying to build.

There's tons of that sort of stuff on the web.
Then go about hardening your code from that standpoint.

I guess you also have to consider what sort of enviroment your program will be requested to work in.

I.e a relatively safe private Lan or will people be accessing it from from via the web?!
Do they want protection from eves droppers(I.e data encryption on the wire?)

Does the client want it to have inbuilt security measureslike password protection or different levels of user privledges?
Does it implement a secure password policy??

I'm just guessing???

Here's one thread where people are giving book suggestions.
http://www.securityfocus.com/archive...30/30/threaded

Can you ask the auditor what criteria you have to pass?
Talk to people in your organization who may know the sort of things required.

Don't be afraid to ask questions.

Do you have a security admin - that person is the best place to start.

No I dont have an admin or a security people here. In fact the programming group is very small, and we are somewhat under pressure because the client have shortened the time of delivery (the boss have sayed, yes we can short the time of delivery and they have taked his word :S...).

Yes, I need encryption, in fact I will use tea because is very simple to implement for the data being communicated, also I was thinking perhaps in OpenSSL or OpenSSH, but I guess will be enough with tea, also for secure a little a SQlite database... people here before have used Oracle... I guess for the server-side part will be OK, but for client side (not much power there) will be enough with SQlite+tea for data.


It will have access from the web, and via a LAN.

The people have asked about "how secure your applications are??" (they like the functionality... but they also whant security in the system), they have asked about DOS attacks, if the data is encrypted, how many traffic it can handle (ok... this is not about secure but integral), how secure are your apps to a direct attack to the service that is if a person/programm get physically to the server how secure is the app.

In fact Im migrating to Linux (at the end will be Red Hat, for develop Im using Fedora+Kubuntu) and implementing a new "module" in the app, but before the people here hasn't taked into account the security of the app components... in fact the boss dosent like that I will like make a complete reengineering of the whole app and not only migration/extension/patching (I dont like how is coded actually).