|
| DevCentral > Weblogs > - Two Different Socks
|
application security
There are 45 entries for the tag application security
 |
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am...
posted @ Thursday, March 04, 2010 3:54 AM |
|
|
The W3C specification now offers the means by which cross-origin AJAX requests can be achieved. Leveraging network and application network services in conjunction with application-specific logic improves security of allowing cross-domain requests and has some hidden efficiency benefits, too. The latest version of the W3C working draft on “Cross-Origin Resource Sharing” lays out the means by which a developer can use XMLHTTPRequest (in Firefox) or XDomainRequest (in IE8) to make cross-site requests. As is often the case, the solution is implemented by extending HTTP headers, which makes the specification completely backwards and cross-platform compatible even if the...
posted @ Tuesday, February 09, 2010 4:18 AM |
|
|
We worry about VM sprawl but what about device sprawl? Management of a multitude of network-deployed solutions can be as operationally inefficient as managing hundreds of virtual machines, and far more detrimental to the health and performance of your applications. Turning them all into virtual network appliances that might need scaling themselves? That’s even badder. But all you hardware fanbois best not smirk too much because the proliferation of hardware network devices is only slightly less badder than the potential problems arising from virtual network appliance sprawl. WAIT, WHY IS DEVICE SPRAWL BAD AGAIN?...
posted @ Friday, February 05, 2010 4:02 AM |
|
|
Like peanut-butter and jelly, cloud computing and application acceleration are just better together. Ann Bednarz of Network World waxes predictive regarding 2010 trends in application delivery and WAN optimization in WAN optimization in 2010. One of the interesting tidbits she offers from research firm Gartner is growth in the application acceleration market: Second, the research firm is predicting a return to modest growth for the application acceleration market in 2010. Gartner is forecasting a compound annual growth rate of 12.22%, with 2014 revenue of $4.27 billion. This, when viewed alongside...
posted @ Thursday, December 17, 2009 3:21 AM |
|
|
Cloud computing environments are just as suited to illegitimate use as legitimate use. Do providers need a way to separate the chaff from the wheat to reassure enterprise-class customers that they’re doing everything they can to eliminate the hijacking of cloud computing resources for nefarious purposes? One of the negatives of being the technology darling du jour is that every misstep, problem, and outage is immediately jumped on and reported everywhere. Amazon is particularly susceptible to such coverage, being recognized as one of the leaders in public cloud computing. Last week Amazon suffered yet another outage, true, but...
posted @ Tuesday, December 15, 2009 3:42 AM |
|
|
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
posted @ Monday, November 30, 2009 4:47 AM |
|
|
Google’s desire to speed up the web via a new protocol is laudable, but the SPDY protocol would require massive changes across networks to support ArsTechnica had an interesting article on one of Google’s latest projects, a new web protocol designed to replace HTTP called SPDY. SPDY uses a single SSL-encrypted session between a browser and a client, and then compresses all the request/response overhead. The requests, responses, and data are all put into frames that are multiplexed over the one connection. This makes it possible to send a higher-priority small file without...
posted @ Tuesday, November 17, 2009 4:20 AM |
|
|
The question is whether that impact is positive (a reduction) or negative (an increase). One of the biggest threats to data integrity is the introduction of malicious content via SQLi (SQL Injection) attacks. Traditional database access methods don’t provide a lot in the way of validating requests and like HTML the vagaries of SQL allow for myriad ways in which a statement can be constructed – and thus exploited. These vagaries, of course, are one factor in the reason why SQLi continues to plague applications and sites driven by user generated content. Another factor is certainly...
posted @ Monday, November 16, 2009 4:52 AM |
|
|
Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.
Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.
No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability...
posted @ Friday, November 06, 2009 12:30 PM |
|
|
While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. ...
posted @ Friday, November 06, 2009 3:43 AM |
|
|
Brute force attacks by spammers seeking easy access causing frustration for users with no resolution in sight At least once a day I see someone on Twitter broadcast that they have been “locked out of their Twitter account, temporarily.” A search for “locked out” returns thousands of tweets with a good mixture of some folks who’ve (amusingly) been locked out of apartments/houses/buildings and many that have been temporarily locked out of Twitter. The more technically savvy tweeters like Ray Valdes often mention that it is most likely the result of spammers and miscreants attempting to brute force their...
posted @ Thursday, November 05, 2009 3:27 AM |
|
|
Malicious links served up in a browser are OS agnostic. They don’t care about the OS because the target is people, not technology. In response to the problem of links and trust put forth in a recent post a reader replies that the answer to “evil links” is simply to run Linux instead of Windows. the very best solution is to run something other than windows, and with ubuntu at its current state of maturity (and free-ness), why wouldn't you? I won’t disagree with the assessment of Ubuntu and its current...
posted @ Friday, October 02, 2009 5:04 AM |
|
|
If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions. There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security...
posted @ Monday, September 28, 2009 3:50 AM |
|
|
Why would miscreants bother with other routes when they can go straight to the source? People concerned with security of the cloud are generally worried about illegitimate access of the applications and data they may deploy in the cloud. That’s a valid concern given the needs of certain vertical industries to comply with privacy-focused regulations like HIPAA and PCI DSS. It’s an extremely valid concern given research and studies showing just how vulnerable most web sites and applications are. Hint: it’s more than you probably think it is, and it’s likely your application is vulnerable...
posted @ Tuesday, September 01, 2009 3:32 AM |
|
|
Amazon EC2 and S3 are no more or less safe than they were last week despite hype around PCI compliance admission The recent admission/announcement that “Amazon EC2 is not PCI compliant” (this is not exactly true, but we’ll get to that later) has set off a rush of blogs, articles, and tweets that say, in effect, EC2 is no longer “safe”. But a lack of compliance does not make Amazon any more less safe than achieving PCI compliance makes a site more safe. Ladies and gentlemen of the Internet, I submit as proof the...
posted @ Tuesday, August 18, 2009 3:29 AM |
|
|
Back when I was developing GIS data translation software I had to fight security all the time. My desktop was so locked down I couldn’t compile the code because I didn’t even have appropriate permission to access the file system. Why? The guy in charge of security was so paranoid about someone doing something they shouldn’t that he completely missed the other half of his responsibility: ensuring people had access to data and information and systems to which they legitimately had a need to access. The potential impact of a data/security breach is so high these days that...
posted @ Wednesday, August 12, 2009 3:45 AM |
|
|
For some companies there’s never been a quantifiable financial impact from attacks. Cloud may change that. One of the frustrations with information security is that it’s always difficult – if not impossible – to quantify risk. Without the ability to quantify risk, it’s often the case that solutions that would mitigate the risk are left unimplemented because there’s no way to prove that the risk would turn into a breach, downtime, or other revenue impacting incident. Take the recent PayPal outage. Estimates are that the hour of downtime for the payment processing king might have...
posted @ Wednesday, August 05, 2009 3:37 AM |
|
|
Apparently if you’re attending the USENIX Security conference (August 12-14, 2009, in Montreal, Canada) you can participate in the Security Grand Challenge. What is that, you ask? Here’s how the organizers describe it: The concept is very simple. The participant teams will have to use their science and technical skill to create an environment where a server can function with integrity and minimum required service levels even when under attack. On the day of the competition, each participant team will receive a virtualized server, with a number of services. The services might...
posted @ Tuesday, July 14, 2009 2:59 AM |
|
|
The inclusion of a web server gives attackers clear line-of-sight to their targets There’s been a few articles on Opera Unite that have called into question the security of the decision to include a web server with the browser. Most of those discussions have centered around the ability to muck with files not intended by the host to be shared, but given current infection techniques there’s a far greater danger to Opera: mass injection attacks. As is often pointed out, current attack techniques are not necessarily targeting web sites per se, but are intended to infect...
posted @ Friday, June 19, 2009 3:56 AM |
|
|
It certainly sounds reasonable: networks are moving toward a perimeter-less model so the line between internal and external network is blurring. The introduction of cloud computing as overdraft protection (cloud-bursting) further blurs that perimeter such that it’s more a suggestion than a rule. That makes the idea of encrypting everything whether it’s on the internal or external network seem to be a reasonable one. Or does it? THE IMPACT ON OPERATIONS A recent post posits that PCI Standard or Not, Encrypting Internal Network Traffic is a Good Thing....
posted @ Thursday, May 28, 2009 4:02 AM |
|
|
Risks with virtualization is same as it ever was but different Hoff makes a good point about cloud security last month in his “The Cloud is a Fickle Mistress: DDoS&M” which was, if I may quote, “it’s the oldies and goodies that will come back to haunt us.” In other words, it’s the well-known, well-understood protocol-based attacks of uncloud computing that will be problematic for cloud computing. Security in virtualized environments and “the cloud” is indeed the “same as it ever was.” And yet it’s different, too. COLLATERAL DAMAGE While it’s...
posted @ Tuesday, May 12, 2009 3:45 AM |
|
|
Zero-day IE exploits and general mass SQL injection attacks often overshadow potentially more dangerous exploits targeting lesser known applications and attack vectors. These exploits are potentially more dangerous because once proven through a successful attack on these lesser known applications they can rapidly be adapted to exploit more common web applications, and no one is specifically concentrating on preventing them because they're, well, not so obvious.
Recently, SANS Internet Storm Center featured a write up on attempts to exploit Roundcube Webmail via the HTTP Accept header. Such an attack is generally focused on exploitation of operating system, language, or environmental...
posted @ Thursday, January 15, 2009 9:12 AM |
|
|
Everyone is buzzing and tweeting about the SANS Institute CWE/SANS Top 25 Most Dangerous Programming Errors, many heralding its release as the dawning of a new age in secure software. Indeed, it's already changing purchasing requirements. Byron Acohido reports that the Department of Defense is leading the way by "accepting only software tested and certified against the Top 25 flaws." Some have begun speculating that this list obviates the need for web application firewalls (WAF). After all, if applications are secured against these vulnerabilities, there's no need for an additional layer of security. Or is there? ...
posted @ Wednesday, January 14, 2009 4:22 AM |
|
|
In the face of a recession everyone, individuals and organizations alike, begin scaling back spending. The first thing to go is luxury items; after all, you probably didn't need that big screen TV for Christmas, and the kids will likely be just as happy with used video games as they would with new ones. IT departments quickly scale back as well, putting off larger, more costly projects that aren't critical to the core business and re-evaluating much of their infrastructure in an attempt to cut costs and reduce the impact of the hardware and software costs of running...
posted @ Monday, December 08, 2008 3:52 AM |
|
|
One password to fool them all One password to find them One password to steal them all and in the ether become them [with many apologies to J.R.R. Tolkien] For years we've had it beat into...
posted @ Monday, October 20, 2008 4:02 AM |
|
|
Not every infrastructure vendor needs new capabilities to support cloud computing and infrastructure 2.0. Greg Ness of Infoblox has an excellent article on "The Next Tech Boom: Infrastructure 2.0" that is showing up everywhere. That's because it raises some interesting questions and points out some real problems that will be need to be addressed as we move further into cloud computing and virtualized environments. What is really interesting, however, is the fact that some infrastructure vendors are already there and have been for quite some time. One thing Greg mentions that's not quite accurate (at least...
posted @ Friday, October 17, 2008 3:58 AM |
|
|
One of the most dangerous threats to data security is also one of the least talked about: employees. Are Twitter and other microblogging sites yet another avenue through which sensitive data can leak out of the corporate database and into the hands of ... anyone? Perhaps more worrisome, what information are you giving away simply by being a part of the community? Of course Twitter is a potential threat. Like personal e-mail accounts and instant messaging, Twitter and sites of its ilk are primarily messaging mechanisms, which translates into personal channels for exporting sensitive data outside the...
posted @ Thursday, October 16, 2008 4:00 AM |
|
|
One of the arguments against the deployment of web application firewalls (WAF) is that it takes time to configure these devices to fit each individual environment. This is allegedly one of the reasons that secure coding is preferred over security devices. But it takes time to code solutions and deploy them, too. In fact, depending on the lifecycle management at any given organization, it can take more time to code a solution and get it moved through a phased environment into production. One of the benefits of an application delivery platform and web application security deployed at...
posted @ Monday, September 29, 2008 4:38 AM |
|
|
Don and I were discussing security as a service and, as usual, he spouted off some wisdom in the form of an analogy that was too good to not to share. When you're walking down the street with your entourage and an angry, I mean really angry, man steps out in front of you with a lead pipe where should your bodyguard be? Yeah, that was my thought, too. He should be in front of me to stop the threat before I have to react. Even though the threat may not hit...
posted @ Tuesday, August 26, 2008 5:01 AM |
|
|
Greg Ferro over at My Etherealmind has a, for lack of a better word, interesting entry in his Network Dictionary on the term "Application Delivery Controller."
He says:
Application Delivery Controller (ADC) - Historically known as a “load balancer”, until someone put a shiny chrome exhaust and new buttons on it and so it needed a new marketing name.
However, the Web Application Firewall and Application Acceleration / Optimisation that are in most ADC are not really load balancing so maybe its alright.
Feel free to call it a load balancer when the sales rep is on the ground, guaranteed to...
posted @ Friday, August 22, 2008 4:49 AM |
|
|
As a child of the 80s's I lived under an umbrella of fear surrounding nuclear everything. Living fairly close to a nuclear power plant, we all heard the words "chain reaction" a lot, and though we didn't understand the science we did know that it was a Very Bad ThingTM and like children in the 60's we were taught to hide under a desk in the event of a catastrophe. Now, one of the benefits of SOA is reuse. Business services provide consistency across multiple applications when they are reused both for data and for processes. This is...
posted @ Thursday, August 14, 2008 3:32 AM |
|
|
Nothing. At least not from an attacker's perspective. A blog is an individual content management system, requiring storage (either database or flat file) and the ability to write to that storage. Comments allow discussion but also require access to files and or databases. It's an app, and that means it comes with all the baggage today's web applications necessarily come with: vulnerabilities. Those vulnerabilities are likely to become more visible as more organizations adopt blogging and other Web 2.0 applications in the next two years. Analyst firm Gartner recently highlighted 27 technologies in its 2008 Hype Cycle for...
posted @ Wednesday, August 13, 2008 3:35 AM |
|
|
An ant named Archimedes is in a hole 6' deep. He climbs half the distance to the top every hour. How long does it take for him to escape the hole? Trick question. He can never, mathematically, escape. Realistically, we know that when Archimedes gets close to the top he will escape because he is actually longer than the amount of hole he has left to go. But what if every hour that Archimedes climbed the hole expanded 6" and thus changed the equation? He'd be one frustrated ant, that's what he'd be. That's how...
posted @ Monday, August 11, 2008 3:54 AM |
|
|
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functionality of Apache.
But as I often say, just because you can doesn't mean you should.
One of the modules you can install is mod_security. If you aren't familiar with mod_security, essentially it's a "roll your own" web application firewall plug-in for the Apache web server.
Some of the security functions you can implement via mod_security are:
Simple filtering
...
posted @ Wednesday, July 23, 2008 5:53 AM |
|
|
Of all the reasons you need an application delivery controller capable of bi-directional inspection of application data this is one of the best. I was trying to check out the results of a poll on PollDaddy.com and ended up with this beautiful Microsoft .NET error page, filled with so much valuable information that potential attackers must even now be laughing in that "evil genius" laugh you so often hear in retro-cartoons. This error page tells me so many things about the application, it's environment, and its associated infrastructure that it should be a crime to let this information...
posted @ Tuesday, July 22, 2008 8:46 AM |
|
|
Not all DoS (Denial of Service) attacks are the same. While the end result is to consume as much - hopefully all - of a server or site's resources such that legitimate users are denied service (hence the name) there is a subtle difference in how these attacks are perpetrated that makes one easier to stop than the other. SYN Flood A Layer 4 DoS attack is often referred to as a SYN flood. It works at the transport protocol (TCP) layer. A TCP connection is established in what is known as a 3-way handshake. The client...
posted @ Tuesday, July 08, 2008 4:31 AM |
|
|
One of Dre's reasons (#7 to be exact) to wait on Web Application Firewalls (WAFs) involves the use of WAFs at notable sites that have been breached. Dre says: 7. Every organization that has installed a blocking WAF has also been in the media for known, active XSS and/or SQL injection I'm assuming that what Dre really meant with this one was that every organization in the media known for being breached has also had a blocking WAF deployed, not that every organization with a blocking WAF has been breached. If I'm...
posted @ Thursday, June 26, 2008 3:41 AM |
|
|
Verizon Business recently released its 2008 Data Breach Investigations Report, covering more than 500 different security breach incidents occurring in the past four years. It's a fascinating read and should be mandatory for business and IT professionals alike. The report should be of assistance to those attempting to decide whether to comply with requirement 6.6 of PCI DSS by deploying an application firewall or engaging in code reviews. The answer? Both are necessary; not because the standard requires both, but because employing both will provide the best coverage across a varied set of attacks. Verizon's report indicates that...
posted @ Thursday, June 19, 2008 4:08 AM |
|
|
According to a recent ComputerWorld article, most retailers aren't ready for the forthcoming June deadline for PCI DSS compliance. From ComputerWorld :: Few expected to make June 30 PCI deadline for Web application security Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are "quick fixes,"...
posted @ Wednesday, May 14, 2008 7:03 AM |
|
|
This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs. The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector. CIO Challenges ...
posted @ Friday, May 09, 2008 8:15 AM |
|
|
Do you have a .plan for your .com? You should. Remember when users had a .plan? When the screech of a modem was the most annoying sound you'd hear while online? When multiplayer interaction meant joining a MUD, MOO, or MUSH? When FTP was the only way to transfer files, and if you wanted to chat you'd hop on #IRC? When discussions were for newsgroups, if you ignored alt.binaries.pictures.anything, which was certainly not for discussions. It wasn't necessarily the proliferation of broadband that caused a massive leap in users on the Internet. Just as there are plenty of...
posted @ Thursday, April 03, 2008 4:09 PM |
|
|
REST (Representational State Transfer) has been growing in usage, especially with support from early service adopters like Amazon, Google, and eBay. One of the issues often raised in conjunction with REST is the lack of a WSDL (Web Services Description Language) like contract that describes the resources available. The folks over at java.net have come up with what may well be the answer: WADL (Web Application Description Language). Example of WADL for Amazon's Search Service from the specification: <application xmlns="http://research.sun.com/wadl/2006/07" xmlns:aws="http://webservices.amazon.com/AWSECommerceService/2005-07-26" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><grammars> <include href="AWSECommerceService.xsd"/></grammars> <resources base="http://webservices.amazon.com/onca/"> <resource path="xml"> <method href="#ItemSearch"/> </resource> </resources> <method name="GET" id="ItemSearch"> <request> <param name="Service" style="query" fixed="AWSECommerceService"/> <param name="Version"...
posted @ Wednesday, July 25, 2007 9:34 AM |
|
|
Over the past few weeks we've examined the issues inherent with Web 2.0 and in particular AJAX-based applications. These issues need to be dealt with, but they should not be considered "show stoppers" to moving ahead with your Web 2.0 initiative. Consider the security ramifications of the design, implementation, and deployment of your new application carefully. Build security into your new application up front and you'll certainly be able to decrease the potential risks associated with this growing technology. Consider the following methods to CUT the RISK associated with deploying Web 2.0 applications: •Check VA tools for AJAX...
posted @ Monday, July 23, 2007 8:29 AM |
|
|
This is Part 4 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "H".
Hidden URLs
AJAX and Web 2.0 works because of the use of the XMLHTTPRequest object via JavaScript to invoke remote calls on...
posted @ Wednesday, July 18, 2007 12:38 PM |
|
|
This is Part 3 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "S".
Scripting-based
Web 2.0 technologies, specifically AJAX, are based on the execution of scripts. As we mentioned in Part I of...
posted @ Wednesday, July 11, 2007 1:11 PM |
|
|
|
|
|
|
