I am using an open source eCommerce application and will soon push the application (including some modifications of my own) to production, i.e. the internet. Given that the code and data structures are freely available online, what are the security considerations/best practices when deploying such a piece of software?
views:
33answers:
1
+1
A:
Knowing the data structures & code shouldn't make your product inherently less secure. Like most open source advocates argue, having the app open source makes it more secure in some ways.
Really you should treat it like you do the security of any app. Sure, knowing the code & data structures makes hacking the site simpler, but that doesn't mean the site is any more or less secure.
For example, an XSS vulnerability is still a vulnerability whether you have the source or not. Having the source just means that a hacker can know about the vulnerability (and you might not).
A good point to start at is making sure your site guards against OWASP's Top 10 list of vulnerabilities. Those are the big ones to be sure to follow. If the open source product doesn't protect against all of them, you could do that yourself and contribute it back to the community so everyone is more secure.
Dan Herbert
2009-08-17 15:57:10