Hi,

I'm a little paranoid about my programming. I'm about to take on a project that consists of a membership area that in order for members to view, they must pay for a subscription fee. I'm thinking about using a third party cc billing company and once a user signs up, it has a script that will update the members database to tell my web application that he/she signed up.

Now since this will deal with money, there are always potential hackers who would want to eliminate competitoin or even receive free service. Thats just my thinking...you can call it paranoia. But the thing is, I'm confident that I can do the programming, but its how well I can do it. How would I know if its secure enough? That leads to my question whether if there are private companies that check how secure an application is and then tells you the loopholes you must fix? Or Can I do this myself? I'm assuming I'll need to read lots of hacking books and then see if those hacking tricks apply to my web application.

Basically I got most security features checked off my list: 
tainting
ssl
warnings
use strict
form checking every inputted variable
cgi.pm to disallow uploads and to have a certain max length to avoid D
+OS
mysql queries using placeholders and/ or having = '$taint_input'
mysql user passwords using md5      
session management using md5 session code  (cgi::session)
mysql is password protected (password is not shown in any perl scripts
+)

[download]
The real downer is this is on a win2k system. Is apache more secure? I may recommend the company I'm working for to move it to a apache server. But the mysql database is located somewhere elsewhere other then the web server machine (I heard this was better).

Any recommendations of articles or books to read about security with membership sort of sites will be real nice.

Thank you all,
perleager

Edited by Arunbear: Changed title from 'Paranoia', as per Monastery guidelines

In reply to Paranoid about web application security by perleager

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.