[nycphp-talk] Liability protection for consultants?
Brian Kaney
brian at vermonster.com
Wed Feb 9 19:23:58 EST 2005
On Wed, 2005-02-09 at 19:01, leam at reuel.net wrote:
> I'm looking at doing some side work setting up CMS and shopping carts for small businesses. The web-host I use has a few offerings that are php based and I'm looking at the requirements and set up to see which one I'd want to support.
>
> OScommerce requires register globals to be on, and Zen Cart requires some world-writeable directories in the DocumentRoot. THe other possibilites are AgoraCart, Interchange Cart, and CubeCart.
We started a project with OSCommerce and found it to be a hairball of
code/presentation and security issues. It was really a pain to extend
without bastardizing core code.
We ended up scrapping it and using IC (interchange). The documentation
is bad (they really need a wiki-doc-project), and we re-wrote most of
the templates (they were filled with "legacy" HTML coding -- i.e tables
within tables, inline styling, etc,).
But after you get going on IC, it is a quite stable, secure and very
extensible platform. My favorite part is IC uses a daemon process to
handle all the heavy lifting, while completely detaching critical
procedures from the client. The "catalog" (or store-related files) are
completely separate from core and you can also override any core
functions with your own without breaking core stuff. This all points to
a solid framework.
>
> I'm reading Chris' security workbook and trying to critically review anything that deals with money. My biggest fear is that one of my customers has a compromise and the public image of the business goes so bad that they lose their business.
>
> Yeah, I'm generally a "worst case scenario" sort of guy...
>
> How do you protect yourself against liability, and more importantly how do you give the customer the security they deserve?
>
You can protect yourself and clients with a software license. You are
protected by the IP portion and your clients by the warranty section.
Here you can mitigate your clients risk by taking some or all of it on,
even offer your clients full indemnification, all for a charge. Or, as
the other extreme, us "AS IS" verbiage. You can also sell warranties
for many OSS (but refer to the specific license for the project).
The OSRM group also offers insurance for open source stuff.
http://www.osriskmanagement.com/
Redhat and HP offer indemnification protection for their Linux-based
products.
- Brian
More information about the talk
mailing list