Page 2 of 2
Re: Setting up site for developer / programmer, need tips
Posted: Sat May 27, 2017 9:29 pm
by sculptex
IP_CAM wrote: ↑Sat May 27, 2017 9:11 pm
Well, this place may be different from what you have seen before, but OC is all about money,
so, one cannot expect, to make many friends, to start with. For most Visitors, its more a TAKE
and GO anyway, and such behaviour kind of 'shapes' this Place, in a very 'unique' way.
So, it's not as easy, as it may look, on first view, one has to get used to it first. Still, one can find a lot
of knowledge, even for free, if one accepts the facts and habits. It's the only way, to get anywhere...
Good Luck !
Ernie
Well I'm friends with krotek now and I kinda thought we were friends too? I guess not!
And I very much doubt you are here for the money, you just love helping people (and improving your skills) -Lol
Re: Setting up site for developer / programmer, need tips
Posted: Sat May 27, 2017 11:00 pm
by oclcas
Going back to the original post on this thread: If deleting the CONTENTS of the customer* and order* tables caused your site to break, then there was something wrong with how your site was setup in the first place. Now, if you deleted the tables themselves, that could cause major issues. So my first question would be, did you delete the tables themselves, or only what they contained?
Secondly - I don't think it's an unreasonable request for a store owner not to have to disclose customers, orders and other data to a new developer. It's not an unreasonable request to ask how to sanitize a database before handing a clone of it to a new developer.
Third - I'm in agreement that an NDA is mostly useless. For one, it's only an agreement. Yes, it will cite penalties if improper disclosure occurs, but to collect those penalties, you need to go to court AND be able to collect those monies if you win. So, what good is an NDA that says there's a $10,000 penalty for improper disclosure if you don't have a lawyer available to enforce it? OR even know the culprits physical address so they can be served? Much better to not even leave that as a possibility, and therefore sanitize data especially when working with a new development partner.
Re: Setting up site for developer / programmer, need tips
Posted: Sat May 27, 2017 11:27 pm
by sculptex
There is far worse a developer could do than steal data. Unless you are a developer, you will probably not understand the dangers.
(To add to what Krotek said)
So if a customer clones a site and changes to customer data to avoid them finding it, so what. The developer could write backdoor scripts, whatever. In order for a user to obfuscate everything from the developer, they would need to alter so much, passwords, API keys etc. set it up on a completely different account/domain, setup a specific ftp account for that dev and remove it straight after. They then need to do a file-by-file comparison of all changes proposed by the developer and scrutinize mods etc. for malicious code before putting it onto their live store. If it didn't work on the live store, the developer would be within their rights to say, "well you didn't let me test it on your live store"
Basically all this is beyond the ability of someone typically seeking help! Also trying some of these techniques would give a false sense of security.
And as far as this particular problem is concerned, as it involved an SSL certificate, that would have also required an SSL certificate to be setup on the clone store, as merely putting it in a subfolder of the live store would be an open door for backdoor scripts to access the live store.
Re: Setting up site for developer / programmer, need tips
Posted: Sun May 28, 2017 7:48 am
by Xerobia
sculptex wrote: ↑Sat May 27, 2017 11:27 pm
There is far worse a developer could do than steal data. Unless you are a developer, you will probably not understand the dangers.
(To add to what Krotek said)
So if a customer clones a site and changes to customer data to avoid them finding it, so what. The developer could write backdoor scripts, whatever. In order for a user to obfuscate everything from the developer, they would need to alter so much, passwords, API keys etc. set it up on a completely different account/domain, setup a specific ftp account for that dev and remove it straight after. They then need to do a file-by-file comparison of all changes proposed by the developer and scrutinize mods etc. for malicious code before putting it onto their live store. If it didn't work on the live store, the developer would be within their rights to say, "well you didn't let me test it on your live store"
Basically all this is beyond the ability of someone typically seeking help! Also trying some of these techniques would give a false sense of security.
And as far as this particular problem is concerned, as it involved an SSL certificate, that would have also required an SSL certificate to be setup on the clone store, as merely putting it in a subfolder of the live store would be an open door for backdoor scripts to access the live store.
This is my plan for now to work LONGTERM with a developer. Security measures will loosen with further projects.
- Clone files to a new subdomain
- Clone database in new container and remove all customerdata
- Change all login information
- Create a new API.
- Setup new dev FTP user with only access rights to subdomain HTML folder
- Deny SSH access
- New SSL certificate for the subdomain but from the same SSL-company
- Screen files with app. for any other codechanges or new files injected into folder. List changes.
- Same for the database.
- Codechanges to be written in a .xt file which later gets reviewed by another developer / security specialist before implementing into the live store by myself.
- Require certain security measures on the developers system
- Consult with specialist to review security
- Sign NDA (for what it's worth) + ID verification.
- Finally hire a developer INHOUSE, fulltime. Next year.
This is pretty bulletproof and any change on the subdomain should also work on the live website. If the developer feels offended by my security measures, well then he can choose not to work for me, but in turn i pay very well and allow the developer to be creative.
Re: Setting up site for developer / programmer, need tips
Posted: Sun May 28, 2017 8:50 am
by MrPhil
Yes, any developer probably will be offended by the restrictions, and that you don't trust them. I would make it clear up front (even before discussing the security restrictions) that you've been badly burned before by developers, and are taking no chances. As your developer proves themselves trustworthy, you will be willing to loosen the restrictions.
Make sure that the developer understands the reason for the restrictions, and that they've priced in the inefficiencies in their work due to the security measures. If they quote a price, sign the contract, and then you spring this stuff on them, it could be a very bad scene (including breach of contract on your part).
Re: Setting up site for developer / programmer, need tips
Posted: Sun May 28, 2017 9:07 am
by Xerobia
MrPhil wrote: ↑Sun May 28, 2017 8:50 am
Yes, any developer probably
will be offended by the restrictions, and that you don't trust them. I would make it clear up front (even before discussing the security restrictions) that you've been badly burned before by developers, and are taking no chances. As your developer proves themselves trustworthy, you will be willing to loosen the restrictions.
Make sure that the developer understands the reason for the restrictions, and that they've priced in the inefficiencies in their work due to the security measures. If they quote a price, sign the contract, and then you spring this stuff on them, it could be a very bad scene (including breach of contract on your part).
Ofcourse, i will be upfront about the restrictions.