Re: Database/SSL Security from Ian Jacobs on 2010-05-21 (site-comments@w3.org from May 2010)

From: Ian Jacobs <ij@w3.org>
Date: Thu, 20 May 2010 22:13:38 -0500
To: John Carrell <carrell.john@gmail.com>
Cc: site-comments@w3.org
Message-Id: <620287D9-20CC-416A-9B10-F4B4882AD6AA@w3.org>

On 19 May 2010, at 3:35 PM, John Carrell wrote:

> Hello. I'm new to web development though I've been experimenting  
> with computer programming since I was young. I have some questions  
> regarding security standards for a site I'm creating now. The site  
> is for an eye doctor's practice. Most of it is just the usual  
> information and pictures but we decided to add the functionality of  
> an online medical history form.. Patients can go to the website and  
> fill out their medical history for the office staff to retrieve. The  
> patients don't have to "log in," they simply fill out the form and  
> it's gone. They cannot access it to modify to it. The office staff  
> can then retrieve the information, delete it and print it. The site  
> is SSL secured and has a redirect to the HTTPS protocol. I'm  
> wondering, as I'm sure there are legal ramifications for both the  
> doctor and I to make sure that this data is secure (it does include  
> the patient's SS #). In addition to the Secure Socket Layer what  
> other security am I expected to enforce to keep this site up to the  
> current standards? Are there guidelines for the administrative  
> password to keep someone from being able to access that portion of  
> the site. Is it necessary to encrypt the sensitive information when  
> it's stored in the database? I've also heard about hackers being  
> able to submit forms and trick the SQL query to return other  
> information and do undesired things. How can I prevent this? I feel  
> certain that someone has set a standard that we can stand by if a  
> legal matter came up regarding the security of our site, not to  
> mention having this would encourage our users to feel safe entering  
> their data.
>
> Please direct me to the right place or answer these questions  
> directly if you can as I'm a bit lost on where else to look. Thank  
> you in advance for your help!

Hi John,

I've forwarded your message internally. As soon as I hear back I will  
let you know.

You might also want to write to public-web-security@w3.org. Archive:
  http://lists.w3.org/Archives/Public/public-web-security/

(I don't know whether that list is a good choice, but you might as  
well try. :)

  _ Ian
>
> -- 
> John Carrell
> 1002 B W. Pine St.
> Missoula, MT, 59802
> 630 650 5157
>
>

--
Ian Jacobs (ij@w3.org)    http://www.w3.org/People/Jacobs/
Tel:                                      +1 718 260 9447

Received on Friday, 21 May 2010 03:13:41 UTC