

Ask HN: Paranoid about security/reliability of my SaaS product? - 46284

Hi HN<p>I'm a self-taught developer and designer. I used to do freelance PHP
work for smallish sites and never worried too much about this as I
know the basics.<p>I've been playing with Django for a few months now and finally have
'the' SaaS idea I've been waiting for.<p>I'm working on the prototype right now but the problem is I'm afraid
I'm not capable enough to carry this through reliably.<p>Some things I've been thinking:<p>- Are there security holes in the site?<p>- Am I storing/escaping all data correctly?<p>- Could I accidentally do something wrong with a database table?<p>- Is the server configured correctly?<p>Using Djano has alleviated this problem a lot because of it's built-in
security (can't believe I used to use pure PHP!) but I'm still
worried.<p>I know reading up more on Django/Python security, keeping database
backups, studying server config., forming an LLC so I can't be
financially destroyed by unhappy users, etc. will alleviate this
further but I was hoping to hear if fellow HN'ers had similar issues.<p>I know there are countless sites with next to no security, but I
believe if users are paying money for a product the least you can do
is keep their data safe.<p>Would really appreciate some advice. Thanks!
======
dumbphone
> (can't believe I used to use pure PHP!)

Actually, pure PHP (I assume by "pure" you mean "with no framework") is the
safest of all, providing that the programmer is experienced. Hackers target
known vulnerabilities in popular frameworks/CMSes/etc., so with a homemade
mini-framework built by an experienced programmer you're better off security-
wise than with a popular framework.

My point is not that you shouldn't use a framework. I personally love Django
and two or three PHP frameworks. I just wanted to add a little perspective to
the discussion of "pure PHP".

------
mcotton
There are several tools you can use for 'hacking' your site. In my logs I see
1000's of requests 'fuzzing' my server looking for known URLs with vulnerable
versions. I haven't kept up with the tools, but I would look at metasploit to
get started. <http://www.metasploit.com/>

