 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Dan Ritter wrote: > On Thu, Dec 31, 2009 at 06:58:44AM -0800, KyleL wrote: > >> Hi Everyone I have a question about CMS websites. >> >> My boss has asked me to create a website for a payroll company and I am not >> about to design it from scratch so I thought my best bet would be to do it >> through a CMS such as joomla or drupal. >> >> ... > If you are handling money and/or confidential financial information, > you should assume that no CMS framework is offering any security at all. > > Oh, sure, they all have at least an idea of protecting pages from view or > edit. But their programmers weren't thinking of your threat model. They're > thinking "Wow, if a large site gets violated, they might have to restore > from backup. That could be painful!". > > This won't do if you are playing with real money. Worse if you are > playing with access details for direct deposit systems. > > Of course, if this site is set up so that it can only be access via a VPN, then the security question is contained to how secure the VPN is, thus eliminating any potential flaws in the CMS itself. I would strongly recommend VPN-only access to such a payroll site, but I don't know what his specific requirements are. -Fred Mitchell
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
