X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   Considering using X-Cart for my project (https://forum.x-cart.com/forumdisplay.php?f=48)
-   -   Considering X-Cart (https://forum.x-cart.com/showthread.php?t=53609)

arthernan 05-05-2010 07:12 AM

Considering X-Cart
 
At our company we are considering X-Cart for our new website.

We are a continuing education provider with a very wide costumer base. As an organization we have the guideline of securing our customer list as much as possible.

We feel that web servers are the most vulnerable piece of software. If an attacker got control of it they could in turn look for database client software libraries. If they are found they could initiate an attack on the database.

Our approach has been for some time not to have any database libraries installed in our DMZ, but instead the web server sends requests to a middle tier in our network. That middle tier in turn connects to the database and makes the neccesary updates and queries. So the database library is installed only in the server where the middle tier resides.


Here are some references to this approach

partitioned application" pattern in
http://www.scrypt.net/~celer/securitypatterns/final%20report.pdf


Paragraph "Application partitioning is a well studied ..." in
http://dspace.mit.edu/bitstream/handle/1721.1/34954/MIT-CSAIL-TR-2006-080.pdf?sequence=1

My question is if this kind of architecture is possible with X-Cart. And if it is not what is the security approach taken in the architecture level and it's rationale.

Thank you.

ambal 05-06-2010 01:36 AM

Re: Considering X-Cart
 
Hi Arthernan,

Thank you for taking interest in our software and welcome aboard!


> Our approach has been for some time not to have any database libraries
> installed in our DMZ, but instead the web server sends requests to a
> middle tier in our network. That middle tier in turn connects to the
> database and makes the neccesary updates and queries. So the database
> library is installed only in the server where the middle tier resides.

X-Cart stores all its data in a MySQL database. Generally speaking X-Cart sends requests to do something with its database to MySQL server.
At the same time MySQL server can be located naturally anywhere taking in
account a server that runs X-Cart can access it via network connections.

Thus you can place MySQL server somewhere in an internal part of your network, protect it by firewall that allows connections only from X-Cart web-server.

If you would like to have some middleware software that performs all database operations instead of X-Cart (i.e. X-Cart "asks" the middleware to do a database operation instead of sending such request to the MySQL server directly) you will need to customize X-Cart as it was designed to operate with MySQL server directly. I am not sure about cost of such customization but I do not think it will be low.

Feel free to contact us with any questions.

Alex


All times are GMT -8. The time now is 04:08 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.