http://ofbiz.116.s1.nabble.com/Users-Security-API-What-am-I-missing-tp139327p139333.html
This is always a problem with web based applications. You _have_ to secure the app servers as a first priority, even when the database is on an internal only network (which is commonly the case). If an app server is breached then they'll be able to get the database access information, and use it through that box... I'm not sure if that is what you are referring to. These are actually fairly standard things considered in a production deployment.
> sub title CC security revisited.
> In Summary the security of CC Info has been discussed.
> it covered the encryption of the information, was well as the security
> authentication provided by ofbiz.
>
> As long as the CC info is encrypted one way, there is not much concern.
> However there is need for Getting the CC info back in readable form in
> some cases. This creates a possible security whole.
>
> The application I am in mind is where the gateway service is sent the
> partyID and only it can read the CC info.
>
> So if the OS is breached thru it own security hole, and admin, or super
> user is gained. Or if someone is using the PC that ofbiz runs on for
> Internet and gets a Trojan. Then the complete DB and application can be
> retrieved.
>
> to further create security, I have implemented put the DB on a private
> network that only the server can see.
>
> Soes anyone with a twisted mind (meant in humor) see a way that this
> could be compromised
>
> _______________________________________________
> Users mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/users