From: Grant Peel > From: "Michael A. Peters" >> Grant Peel wrote: >>> Good Morning / Afternoon, >>> >>> We run several of our own servers: >>> >>> - Dell Power Edge 1U, Pentium, >>> - FreeBSD (6.x soon to be 7.x) >>> - along with all the standard Web Application installation (PHP Apache >>> Exim, Pop3, Proftp, MySQL etc etc). >>> >>> What I am asking here, is if any one in this community has the knowledge >>> to act as a security consultant in an occasional, as required basis. >>> Anyone interested should have expience with Apache, PHP, Perl on the >>> FreeBSD platform. >> >> No experience with FreeBSD and probably not enough with Perl - but whoever >> you hire, make sure they suggest your php build is hardened by suhosin - >> both the core php patch and the loadable module. >> > > Hi Again all, > > I am not sure what to make of all the chatter on this post .... > > To date, I have not recieved any sincere replies, which is a bit suprising. > I am thinking that this job would be easy money for someone who already > knows the ins and outs of php/Apache from a secuirty standpoint. > > I already have sohosin patch applied (it is applied as part of the default > FreeBSD - php port). > > Anyways, the offer is still out there if anyone is interested. Hi Grant, First off, I believe you are asking on the wrong list. Server security is an advanced topic, well outside the experience of most novice PHP developers. You would be better off asking on some of the advanced Apache or Perl Monks mailing lists. Second, from your brief description, I can easily picture a full time job with lots of overtime hours, not something most consultants will be interested in. Security is not easy to do correctly, particularly if you are not responsible and accountable for the outcome or don't have full authority and management support. We currently have a team of five people who are jointly responsible for the security of our servers and networks. Each of them spends more than 20% of their time on that portion of their job. And finally, there are companies that do what you asked for. Gibson Research(*) is the first one that comes to mind <www.grc.com>. They also provide monitoring services to keep an eye out for intrusions on your servers once they have been hardened. Foundstone(**) is another <www.foundstone.com>. Good luck, Bob McConnell Senior Software Engineer The CBORD Group, Inc. 61 Brown Road Ithaca NY, 14850 Phone 607 257-2410 FAX 607 257-1902 Email rvm@xxxxxxxxx Web www.cbord.com (*) No relationship exists nor is implied, we're not even a customer. I just like his style. Plus his Shields Up test gave my home firewall a perfect score. (**) We have occasionally hired these folks to do training and intrusion audits. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
