Crypto requirements and language/framework selection.

Question

I want to build a web-based information management application for a client. The application will be used to store passwords and critical documents online.

I want to know:

(1) Which language/framework to go with: PHP or Ruby on Rails (RoR) or any other?

(2) What type of hosting for good-security, Linux or Windows? Any other thing to be included?

(3) Suggest open-source but bug-free crypto libraries for PHP & RoR.

(4) I am planning PostgreSQL database. Any suggestions?

(5) Any other security considerations.

Answer 1

Not being an PHP expert I'm pretty sure you would be fine going either way. Choose the tools, OS and db you are most skilled in and then focus on the implementation.

Security is hard. Make sure to have an expert review you solution.

Answer 2

1. whatever are you most comfortable with
2. linux is probably better. yes. various
3. php cryptography extensions
4. couchDB
5. don't trust nobody and nothing

For a super safe application try to do it OFFLINE.

Answer 3

As far as a crypto library for Ruby, I've had good results with the EzCrypto Gem. It wraps the Ruby OpenSSL library and makes it easy to do symmetric encryption. The challenge is less about doing the encryption and more about where and how to store your keys (as you mention in your question).

Answer 4

In answer to 5)
I'd suggest reading this PDF which is OWASP's Top Ten Application Security Risk.
Also OSVDB is a pretty good site for finding upto date security issues in released products. Here's the link for Postgres issues
http://osvdb.org/search?search%5Bvuln%5Ftitle%5D=postgres&search%5Btext%5Ftype%5D=alltext