tags:

views:

58

answers:

2
Q: 

Security of Flex for payment website

So, it's been about 3 years since I wrote and went live with my company's main internet facing website. Originally written in php, I've since just been making minor changes here and there to progress the site as we've needed to.

I've wanted to rewrite it from the ground up in the last year or so and now, we want to add some major features so this is a perfect time.

The website in question is as close to a banking website as you'd get (without being a bank; sorry for the obscurity, but the less info I can give out, the better).

For the rewrite, I want to separate the presentation layer from the processing layer as much as I can. I want the end user to be stuck in a box and not be able to get out so to speak

(this is all because of PCI complacency, being PEN tested every 3 months, etc...)

So, being probed every 3 months has increasingly made me nervous. We haven't failed yet and there hasen't been a breach yet, but I want to make sure I continue to pass (as much as I can anyways)

So, I'm considering rewriting the presentation layer in Adobe Flex and do all the processing in PHP (effectively IMO, separating presentation from processing) - I would do all my normal form validation in flex (as opposed to javascript or php) and do my reads and writes to the db via php.

My questions are: I know Flash has something like 99% market penetration - do people find this to be true? Has anyone seen on their own sites being in flash that someone couldn't access it?

Flash in general has come under alot of attacks about security and the like - i know this. I would use a swf encryptor - disable debugging (which i got snagged on once on a different application), continue to use https and any other means i can think of.

At the end of the day, everyone knows if someone wants in to the data bad enough, their going to find a ways in; i just wanna make it as difficult for them as i can.

Any thoughts are appreciated.

-Mario

+2  A: 

There are always people who, for one reason or another, don't install the Flash plugin. Bear in mind that these are distinctly in the minority. Realize also that some people still refuse to enable Javascript. The question you have to ask yourself is whether this small group is enough to get you to move off of some newer technologies.

If the answer to that is yes, you will have to resort to vanilla HTML form processing, sending everything to the server for validation, etc.

If the answer is no, don't be afraid to use Flex. It works fine with https protocol, and is as secure as you want. That said, I wouldn't use it for username/password validation on the client; that information should always be encrypted and sent to a secure server. But validation of other types of field (phone number, etc.) shouldn't be a problem.

Robusto  2010-04-26 12:53:37
+1 for a thorough answer. I'll chime in and say is it a good idea to turn away paying customers just because they don't have flash installed?
John Conde  2010-04-26 13:11:20
Well, and that still stands to be the biggest doubt in my mind.In my opinion, to compile the front end in flex eliminates the functionality of the back / forward buttons; eliminates javascript / html / form data in the view source window; eliminates the exposure of internal server side pages used for processing, etc...So the question changes to (for me anyways) is turning people away for not having flash installed, acceptable to gain some security features?At the end of the day, if they really want to pay and don't have flash installed, they still can simply make a phone call...
Mario  2010-04-26 13:21:30
@Mario: You can keep the back/forward button functionality in Flex. You just have to code for it. See http://livedocs.adobe.com/flex/3/html/help.html?content=deep_linking_2.html
Robusto  2010-04-26 13:52:49
Oh, I'm sure. Loosing back / forward is a benefit in my opinion. I don't want them to be able to go back or forward, on my site anyways. If they wanna leave and go somewhere else, thats fine, but I don't want them to press back till they get to some other site, then come back.
Mario  2010-04-26 14:00:28
+1  A: 

There are definitely people who don't have Flash installed and yes, there are people who have JavaScript disabled. But no matter whether you develop for the common denominator which is plain HTML forms or if you go high end, e.g. Flex or AJAX, never ever rely on the client to validate the inputs. It's a good first step, but everything that comes from the client, be it Flash or Ajax or Silverlight or whatever, could be forged.

ilikeorangutans  2010-04-26 19:07:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases