Re: Database/SSL Security

[Ian Jacobs]

On 19 May 2010, at 3:35 PM, John Carrell wrote:
Hello. I'm new to web development though I've been experimenting  
with computer programming since I was young. I have some questions  
regarding security standards for a site I'm creating now. The site  
is for an eye doctor's practice. Most of it is just the usual  
information and pictures but we decided to add the functionality of  
an online medical history form.. Patients can go to the website and  
fill out their medical history for the office staff to retrieve. The  
patients don't have to "log in," they simply fill out the form and  
it's gone. They cannot access it to modify to it. The office staff  
can then retrieve the information, delete it and print it. The site  
is SSL secured and has a redirect to the HTTPS protocol. I'm  
wondering, as I'm sure there are legal ramifications for both the  
doctor and I to make sure that this data is secure (it does include  
the patient's SS #). In addition to the Secure Socket Layer what  
other security am I expected to enforce to keep this site up to the  
current standards? Are there guidelines for the administrative  
password to keep someone from being able to access that portion of  
the site. Is it necessary to encrypt the sensitive information when  
it's stored in the database? I've also heard about hackers being  
able to submit forms and trick the SQL query to return other  
information and do undesired things. How can I prevent this? I feel  
certain that someone has set a standard that we can stand by if a  
legal matter came up regarding the security of our site, not to  
mention having this would encourage our users to feel safe entering  
their data.

Please direct me to the right place or answer these questions  
directly if you can as I'm a bit lost on where else to look. Thank  
you in advance for your help!

Hi John,

I've forwarded your message internally. As soon as I hear back I will  
let you know.

You might also want to write to public-web-secur...@w3.org. Archive:
 http://lists.w3.org/Archives/Public/public-web-security/

(I don't know whether that list is a good choice, but you might as  
well try. :)

 _ Ian

--
John Carrell
1002 B W. Pine St.
Missoula, MT, 59802
630 650 5157



--
Ian Jacobs (i...@w3.org)    http://www.w3.org/People/Jacobs/
Tel:                                      +1 718 260 9447