Security of Flex for payment website

Posted by Mario on Stack Overflow See other posts from Stack Overflow or by Mario
Published on 2010-04-26T12:44:14Z Indexed on 2010/04/26 19:13 UTC
Read the original article Hit count: 209

Filed under:
|
|
|

So, it's been about 3 years since I wrote and went live with my company's main internet facing website. Originally written in php, I've since just been making minor changes here and there to progress the site as we've needed to.

I've wanted to rewrite it from the ground up in the last year or so and now, we want to add some major features so this is a perfect time.

The website in question is as close to a banking website as you'd get (without being a bank; sorry for the obscurity, but the less info I can give out, the better).

For the rewrite, I want to separate the presentation layer from the processing layer as much as I can. I want the end user to be stuck in a box and not be able to get out so to speak

(this is all because of PCI complacency, being PEN tested every 3 months, etc...)

So, being probed every 3 months has increasingly made me nervous. We haven't failed yet and there hasen't been a breach yet, but I want to make sure I continue to pass (as much as I can anyways)

So, I'm considering rewriting the presentation layer in Adobe Flex and do all the processing in PHP (effectively IMO, separating presentation from processing) - I would do all my normal form validation in flex (as opposed to javascript or php) and do my reads and writes to the db via php.

My questions are: I know Flash has something like 99% market penetration - do people find this to be true? Has anyone seen on their own sites being in flash that someone couldn't access it?

Flash in general has come under alot of attacks about security and the like - i know this. I would use a swf encryptor - disable debugging (which i got snagged on once on a different application), continue to use https and any other means i can think of.

At the end of the day, everyone knows if someone wants in to the data bad enough, their going to find a ways in; i just wanna make it as difficult for them as i can.

Any thoughts are appreciated.

-Mario

© Stack Overflow or respective owner

Related posts about security

Related posts about flash