security
There are 264 entries for the tag security
We tend to assume characteristics upon hearing the term #mobile. We probably shouldn’t… There are – according to about a bazillion studies - 4 billion mobile devices in use around the globe. It is interesting to note that nearly everyone who notes this statistic and then attempts to break it down into useful data (usually for marketing) that they almost always do so based on OS or device type – but never, ever, ever based on connectivity. Consider the breakdown offered by W3C for October 2011. Device type is the chosen...
#infosec #adcfw #cloud Alternate title: How to take out an entire PaaS cloud with one vulnerability Apache Killer. Post of Doom. What do these two vulnerabilities have in common? Right, they’re platform-based vulnerabilities. Meaning they are vulnerabilities peculiar to the web or application server platform upon which applications are deployed. Mitigations for such vulnerabilities generally point to changes in configuration of the platform – limit post size, header value sizes, turn off some value in the associated configuration. But they also have something else in common – risk. And not just risk...
#adcfw #infosec F5 is changing the game on security by unifying it at the application and service delivery layer. Over the past few years we’ve seen firewalls fail repeatedly. We’ve seen business disrupted, security thwarted, and reputations damaged by the failure of the very devices meant to prevent such catastrophes from happening. These failures have been caused by a change in tactics from invaders who seek no longer to find away through or over the walls, but who simply batter it down instead. A combination of traditional attacks – network-layer – and modern attacks – application-layer – have...
#mobile #vdi #IPv6 In the case of technology – as with mythology - the whole is often greater (and more challenging) than the sum of its parts. The chimera is a mythological beast of scary proportions. Not only is it fairly large, but it’s also got three, independent heads – traditionally a lion, a goat, and a snake. Some variations on this theme exist, but the basic principle remains: it’s a three-headed, angry beast that should not be taken lightly should one encounter it in the hallway. Individually, one might have a strategy to...
#mobile #fasterapp #ccevent Today, at least. Tomorrow, who knows? Some have tried to distinguish between “mobile cloud” and “cloud” by claiming the former is the use of the web browser on a mobile device to access services while the latter uses device-native applications. Like all things cloud, the marketing fluff is purposefully obfuscating and sweeping under the rug the technology required to make things work for consumers, whether those consumers be your kids or IT professionals. Infrastructure is not eliminated when organizations take to the cloud nor do the constraints of web-based protocols and methodologies become...
#adcfw #RSAC #infosec The focus on bandwidth and traffic continue to distract from the real problems with traditional inbound protections … The past year brought us many stories focusing on successful attacks on organizations for a wide variety of reasons. Why an organization was targeted was not nearly as important as the result: failure to prevent an outage. While the volume of traffic often seen by these organizations was in itself impressive, it was not the always the volume of traffic that led to the outage, but rather what that traffic was designed to do: consume resources. ...
#adcfw
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
#RSAC Attackers have outflanked your security infrastructure
Many are familiar with the name of the legendary Alexander the Great, if not the specific battles in which he fought. And even those familiar with his many victorious conquests are not so familiar with his contributions to his father’s battles in which he certainly honed the tactical and strategic expertise that led to his conquest of the “known” world.
In 339 BC, for example, then Macedonian King Phillip II – the father of Alexander the Great – became engaged in a battle...
#adcfw
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
#RSAC Traditional strategy segregates delivery from security. Traditional strategy is doing it wrong…
Everyone, I’m sure, has had the experience of calling customer service. First you get the automated system, which often asks for your account number. You know, to direct you to the right place and “serve you better.” Everyone has also likely been exasperated when the first question asked by a customer service representative upon being connected to a real live person is … “May I have your account number, please?”
It’s frustrating and, for everyone involved, it’s...
#infosec #DNS #v11 DNS is like your mom, remember? Sometimes she knows better. Generally speaking, blackhole routing is a problem, not a solution. A route to nowhere is not exactly a good thing, after all. But in some cases it’s an approved and even recommended solution, usually implemented as a means to filter out bad packets at the routing level that might be malformed or are otherwise dangerous to pass around inside the data center. This technique is also used at the DNS layer as a means to prevent responding to queries with known infected or...
#fasterapp If you know these three axioms, then you’ll know application delivery when you see it. Like most technology jargon, there are certain terms and phrases that end up mangled, conflated, and generally misapplied as they gain traction in the wider market. Cloud is merely the latest incarnation of this phenomenon, and there will be others in the future. Guaranteed. Of late the term “application delivery” has been creeping up into the vernacular. That could be because cloud has pushed it to the fore, necessarily. Cloud purports to eliminate the “concern” of...
#bigdata #infosec Storing sensitive data in the cloud is made more palatable by applying a little security before the data leaves the building… When corporate hardware, usually laptops, are stolen, one of the first questions asked by information security professionals is whether or not the data on the drive was encrypted. While encryption of data is certainly not a panacea, it’s a major deterrent to those who would engage in the practice of stealing data for dollars. Many organizations are aware of this and use encryption judiciously when data is at rest in the data center...
#adcfw The reason bars place bouncers at the door is because it’s easier and less riskier to prevent entry than to root out later No one ever said choosing a career in IT was going to be easy, but no one said it had to be so hard you’d be banging your head on the desk, either. One of the reasons IT practitioners end up with large, red welts on their foreheads is because data centers tend to become more, not less, complex and along with complexity comes operational risk. Security, performance, availability. These three inseparable issues often...
#devops An ecosystem-based data center approach means accepting the constancy of change… It is an interesting fact of life for aquarists that the term “stable” does not actually mean a lack of change. On the contrary, it means that the core system is maintaining equilibrium at a constant rate. That is, the change is controlled and managed automatically either by the system itself or through the use of mechanical and chemical assistance. Sometimes, those systems need modifications or break (usually when you’re away from home and don’t know it and couldn’t do anything about it if you...
#devops It’s a simple equation, but one that is easily overlooked. Most folks recall, I’m sure, the Pythagorean Theorem. If you don’t, what’s really important about the theorem is that any side of a right triangle can be computed if you know the other sides by using the simple formula a2 + b2 = c2. The really important thing about the theorem is that it clearly illustrates the relationship between three different pieces of a single entity. The lengths of the legs and hypotenuse of a triangle are intimately related; variations in one impact...
Who is most responsible for determining the adequacy of security in the cloud in your organization?
Dome9, whom you may recall is a security management-as-a-service solution that aims to take the complexity out of managing administrative access to cloud-deployed servers, recently commissioned research on the subject of cloud computing and security from the Ponemon Institute and came up with some interesting results that indicate cloud chaos isn’t confined to just its definition.
The research, conducted this fall and focusing on the perceptions and practices of IT security practitioners, indicated that 54% of respondents felt IT operations and infrastructure personnel...
New survey shows firewalls falling to application and network DDoS with alarming frequency…
With the increasing frequency of successful DDoS attacks there has come a few studies focusing on organizational security posture – readiness, awareness, and incident rate as well as costs of successful attacks.
When Applied Research conducted a study this fall on the topic, it came with some expected results but also uncovered some disturbing news – firewalls fail. Often. More often, in fact, than we might like to acknowledge. That’s troubling because it necessarily corresponds to the success rate of attacks and, interestingly, the...
#HTML5 Web Sockets are poised to completely change scalability models … again. Using Web Sockets instead of XMLHTTPRequest and AJAX polling methods will dramatically reduce the number of connections required by servers and thus has a positive impact on performance. But that reliance on a single connection also changes the scalability game, at least in terms of architecture. Here comes the (computer) science… If you aren’t familiar with what is sure to be a disruptive web technology you should be. Web Sockets, while not broadly in use (it is only a specification, and a...
Being too quick to shout “cloud” when the solution may be found elsewhere can lead to unintended consequences. As with all technology caught up in the hype cycle, cloud computing is often attributed with being “the solution” to problems irrespective of reality. Cloud is suddenly endowed with supernatural powers, able to solve every business and operational challenge merely by being what it is. Take, for example, the attribution of cloud as being “the solution” to the very real issue of severe snow in the UK. Cloud solutions can...
#infosec #apt Advanced persistent threats are the new black in security. A more context-aware architecture may help avoid compromise and the ensuing ambush. Meet the new attack, same as the old attack. That’s because it is an old attack. Really. It’s an attack that’s already been executed, the results of which have lain dormant waiting for the highest bidder to lease it out. Advanced persistent threats or APT are not new, but because of their longevity are only beginning to receive the attention they deserve. An APT is so named because the exploit mechanism is deposited long before...
The THC #SSL #DoS tool exploits the rapid resource consumption nature of the handshake required to establish a secure session using SSL.
A new attack tool was announced this week and continues to follow in the footsteps of resource exhaustion as a means to achieve a DoS against target sites.
Recent trends in attacks show an increasing interest in maximizing effect while minimizing effort. This means a move away from traditional denial of service attacks that focus on overwhelming sites with traffic and toward attacks that focus on rapidly consuming resources, instead. Both have the same ultimate goal: overwhelming infrastructure,...
Infrastructure architecture is often the answer to many of IT’s most challenging issues. It is a fact of IT that different businesses have different technical requirements in terms of security, processing, performance, and even storage. In many organizations, particularly those that transport sensitive personal or financial information, end-to-end encryption is a must. At first glance this seems to be a fairly simple thing – enable a secure transport from client to server and vice-versa and voila! But further exploration reveals that this isn’t the case, primarily because it’s never a straight shot between the client and the server...
When nearly half of folks experienced a stateful firewall failure under attack last year[1], maybe more of the same isn’t the right strategy. [1] Arbor Networks, Network Infrastructure Security Report Connect with Lori: Connect with F5: ...
#vmware An infrastructure architecture that overcomes VMware View concurrency limitations Sheer volume and geographically disparate deployment of VMware View pods can result in a confusing array of locations from which users must choose to find their preferred desktop. Currently, View deployments are called “pods” and each is limited to a maximum 10,000 concurrent users. That may seem an unlikely upper limit to hit, but there are organizations for which that number is an issue. Every additional 10,000 concurrent users requires a unique supporting infrastructure along with a unique endpoint – an URL – to...
Friends, foes, Internet-denizens … lend me your browser. Were you involved in any of the DDoS attacks that occurred over the past twelve months? Was your mom? Sister? Brother? Grandfather? Can you even answer that question with any degree of certainty? Reality is that the reason for attack on the web is subtly shifting to theft not necessarily of data, but of resources. While the goal may still be to obtain personal credentials for monetary gain, it is far more profitable to rip hundreds or thousands of credentials from a single source...
Cookies as a service enabled via infrastructure services provide an opportunity to improve your operational posture. Fellow DevCentral blogger Robert Haynes posted a great look at a UK law regarding cookies. Back in May a new law went info effect regarding “how cookies and other “cookie-like” objects are stored on users’ devices.” If you haven’t heard about it, don’t panic – there’s a one-year grace period before enforcement begins and those £500 000 fines are being handed out. The clock is ticking, however. What do the new regulations say? Well essentially whereas cookies...
Ever hear the saying, “Closing the barn door after the horse has already left?” It’s not a good thing, and Dome9 aims to make sure you close the (cloud) barn door before the horse bolts – not after. An interesting* side-effect of deploying applications in public cloud computing environments is the fact that access to management functions is often accessible, necessarily, to any one. We rely instead on credentials and API keys to prevent unauthorized access and, given that we really can’t do much more than that based on the external constraints placed upon us...
#v11 Logging, necessary for a variety of reasons in the data center, can consume resources and introduce undesirable latency. Avoiding that latency improves application performance and in some cases, the quality of logs. Logging. It’s mandatory and, in some industries, critical. Logs are used not only for auditing and tracking but for debugging, for data mining and analysis, and in some tiers of the architecture, replication and synchronization of data. Logs are a critical component across the data center, of that there is no doubt. That’s why it’s particularly frustrating to know that the...
#v11 DNS remains one of the most critical – and necessarily public – services within the data center. Neglect its security at your own peril…. DNS is still like your mom. Too often underappreciated and taken for granted, DNS – like many network and infrastructure services – is largely ignored until there’s a problem. Unfortunately for critical services like DNS, firewall, and load balancing, by the time there’s a problem there’s a PROBLEM. It’s important to not only actively manage DNS today, but actively protect it, too. After all, it is the primary means by...
#infosec A recently discovered 0-day Apache exploit is no problem for BIG-IP. Here’s a couple of different options using F5 solutions to secure your site against it.
It’s called “Apache Killer” and it’s yet another example of exploiting not a vulnerability, but a protocol’s behavior.
UPDATE (8/26/2011) We're hearing that other Range-* HTTP headers are also vulnerable. Take care to secure against these potential attack vectors as well!
In this case, the target is Apache and the “vulnerability” is in the way multiple ranges are handled by the Apache HTTPD server. The RANGE HTTP header is used to request one...
#infosec #infra2 If you take one thing away from the ability to programmatically control infrastructure components take this: it’s imperative to maintaining a positive security posture You’ve heard it before, I’m sure. The biggest threat to organizational security is your own employees. Most of the time we associate that with end-users who may with purposeful intent to do harm carry corporate information offsite but just as frequently we cite employees who intended no harm – they simply wanted to work from home and then Murphy’s Law took over, resulting in the inadvertent loss of that sensitive...
#v11 AJAX, JSON and an ever increasing web application spread increase the odds of succumbing to a breach. BIG-IP ASM v11 reduces those odds, making it more likely you’ll win at the security table
When we use analogy often enough it becomes pervasive, to the point of becoming an idiom. One such idiom is the expression of unlikelihood of an event by comparing it to being hit by lightning. The irony is that the odds of being hit by lightning are actually fairly significant – about 1:576,000. Too many organizations view their risk of a breach as bring akin to...
#mobile A single, contextual point of control for access management can ease the pain of managing the explosion of client devices in enterprise environments. Regardless of the approach to access management, ultimately any solution must include the concept of control. Control over data, over access to corporate resources, over processes and over actions b y users themselves. The latter requires a non-technological solution – education and clear communication of policies that promote a collaborative approach to security. As Michael Santarcangelo , a.k.a. The Security Catalyst, explains: “Our success depends on our ability to get closer to people, to...
#v11 Say hello to DNS Express You may recall we recently expounded upon the need for the next generation of infrastructure to provide more protection of critical DNS services. This is particularly important given recent research on behalf of Versign that found “60% of respondents rely on their websites for at least 25% of their annual revenue.” Combined with findings that DDoS attacks, DNS failures and attackers comprised 65% of unplanned downtime in the past year, the financial impact on organizations is staggering. We also described the most popular solution today, DNS caching, and...
#mobile Managing access to resources instead of from devices is the key to a sustainable access management strategy. CSO Online recently reported on the results of a study conducted by Unisys with respect to mobile devices and IT readiness. The article – and report – are full to the brim with interesting statistics regarding not just usage of mobile devices within the enterprise but attitudes of employees toward the necessity of those devices to perform their daily tasks. It also focuses on IT and its awareness –and readiness - to handle the steady influx of mobile...
Pop Quiz: In recent weeks, which of the following attack vectors have been successfully used to breach major corporation security? (choose all that apply) Phishing Parameter tampering SQL Injection DDoS SlowLoris Data leakage If you selected them all, give yourself a cookie because you’re absolutely right. All six of these attacks have successfully been used recently, resulting in breaches across the globe: International Monetary Fund US Government – Senate CIA Citibank ...
Don’t get so focused on the trebuchets, mangonels and siege towers that you forget about the sappers. We often compare data center security to castles and medieval defenses. If we’re going to do that, we ought to also consider the nature of attacks in light of the military tactics used to perpetrate such attacks, namely siege warfare. It’s likely more apropos today than it was when the analogy was first made because today organizations are definitely under siege from a variety of attack methods. Most of them are obvious if you have someone on the walls...
#devops #infosec Shared resources do benefit organizations, there’s no arguing about that. But when resources forming the basis of identity are trusted and then inadvertently shared, you may find your (IP) identity misappropriated. In the past two years there have been interesting stories floating around about what happens when IP addresses are “shared” in public cloud computing environments. You’ve no doubt heard how someone spun up an instance and was immediately blacklisted by some other website because the last application assigned that IP address was naughty on the Internets. Organizations have struggled with such issues...
Though responsibility for taking precautions may be shared, the risk of an incident is always yours and yours alone, no matter who is driving the car. Cloud and security still take top billing in many discussions today, perhaps because of the nebulous nature of the topic. If we break down security concerns in a public cloud computing environment we can separate them into three distinct categories of risk – the infrastructure, the application, and the management framework. Regardless of the model – IaaS, PaaS, SaaS – these categories exist as discrete entities, the differences being only in...
While everyone was focused on cloud, JSON has slowly but surely been taking over the application development world
It looks like the debate between XML and JSON may be coming to a close with JSON poised to take the title of preferred format for web applications.
If you don’t consider these statistics to be impressive, consider that ProgrammableWeb indicated that its “own statistics on ProgrammableWeb show a significant increase in the number of JSON APIs over 2009/2010. During 2009 there were only 191 JSON APIs registered. So far in 2010 [August] there are already 223!”
Today there are 1262 JSON APIs registered,...
Managing the other kind of performance in a data center requires the ability to analyze a whole lotta data. Big operational data. “Big data” right now is nearly as hyped as cloud computing . The vast amounts of data collected that need to be shared, integrated, replicated, backed up, and managed is growing at a phenomenal rate. But when folks talk about “big data” they’re focused primarily on application data, on user-generated data, on business data. They are not generally concerned with the other “big data” that threatens to overwhelm data center operations on a daily...
Two words: be prepared.
Way back when,Don was the Scoutmaster for our local Boy Scout Troop. He’d been a Scout and earned his Eagle and, as we had a son entering scouting age, it was a great opportunity for Don to give back and for me to get involved. I helped out in many ways, not the least of which was to help the boys memorize the Scout promise and be able to repeat on-demand its Motto (Be Prepared) and its Slogan (Do a good turn daily).
Back then there was no Robotics Merit Badge (it was eerily introduced while I...
It’s not enough to have a strategic point of control; you’ve got to use it, too. One of the primary threats to the positive operational posture of an organization is that of extremely heavy load. Whether it’s from a concerted effort to take down the site (DDoS) or simply an unanticipated flood of legitimate users is really not as important to today’s discussion as understanding the impact both can have not just on your applications, but on their supporting infrastructure. You know, the network “stuff” that sits between the client and your applications, defending...
When your data center is constantly under pressure to address operational risks, try leveraging some ancient wisdom from King Leonidas and William Wallace
The Battle of Thermopylae is most often remembered for the valiant stand of the "300". In case you aren't familiar, three hundred Spartans (and a supporting cast of city-state nations) held off the much more impressively numbered armies of Prince Xerces for a total of seven days before being annihilated.
A Greek force of approximately 7,000 men marched north to block the pass in the summer of 480 BC. The Persian army, alleged by the ancient...
What’s worse than the big bad SSL wolf? Bad certificates certifying badder content… Connect with Lori: Connect with F5: ...
Internal processes may be the best answer to mitigating risks associated with third-party virtual appliances The enterprise data center is, in most cases, what aquarists would call a “closed system.” This is to say that from a systems and application perspective, the enterprise has control over what goes in. The problem is, of course, those pesky parasites (viruses, trojans, worms) that find their way in. This is the result of allowing external data or systems to enter the data center without proper security measures. For web applications we talk about things like data scrubbing and web...
Sometimes vulnerabilities are simply the result of a protocol design decision, but that doesn’t make it any less a vulnerability
An article discussing a new attack on social networking applications that effectively provides an opening through which personal data can be leaked was passed around the Internets recently.
If you haven’t read “Abusing HTTP Status Codes to Expose Private Information” yet please do, it’s a good read and exposes, if you’ll pardon the pun, yet another “vulnerability by design” flaw that exists in many of the protocols that make the web go today.
We, as an industry, spend a lot...
You’re still asking the wrong questions about cloud computing .
The city of Santa Clara is covered by a cloud this week, but not the kind of clouds most folks associate with California. CloudConnect 2011 is gearing up for a week of sessions and workshops, thought-provoking panels and general conversation on a topic that continues to be top of mind for everyone from press to analysts to IT professionals.
“Everyone” is going to be there. Well, everyone but me.
Now you might think that’s odd, that a co-chair of a track at a conference wouldn’t attend the show. My cohort...
The claim a company is not a “true security company” because they don’t focus solely on security products is a red herring.
If I ask you to define a true security company, you might tend to fall back on the most obvious answer, “Well, it’s a company that focuses on security.”
And then I would ask, “Security of what?”
And then you might answer, “Well, of whatever it is the product secures, of course.”
Of course. What it boils down to is that the most common definition of a “security company” is one that focuses solely on providing solutions designed...
Recognizing the relationship between and subsequently addressing the three core operational risks in the data center will result in a stronger operational posture.
Risk is not a synonym for lack of security. Neither is managing risk a euphemism for information security. Risk – especially operational risk – compromises a lot more than just security.
In operational terms, the chance of loss is not just about data/information, but of availability. Of performance. Of customer perception. Of critical business functions. Of productivity. Operational risk is not just about security, it’s about the potential damage incurred by a loss of availability or performance...
Detecting attacks is good, being able to do something about it is better. F5 and Oracle take their collaborative relationship even further into the data center, integrating web application and database firewall solutions to improve protection against web and database-focused attacks.
It is often the case that organizations heavily invested in security solutions designed to protect critical application infrastructure, such as the database, are unwilling to replace those solutions in favor of yet another solution. This is not necessarily a matter of functionality or trust, but a decision based on reliance on existing auditing and management solutions that are...
Do you really need a firewall to secure web and application services? Some organizations would say no based on their experiences while others are sure to quail at the very thought of such an unnatural suggestion.
Firewalls are, in most organizations, the first line of defense for web and application services. This is true whether those services are offered to the public or only to off-site employees via secure remote access. The firewall is, and has been, the primary foundation around which most network security architectures are built.
We’ve spent years designing highly-available, redundant architectures that include the firewall....
Cloud is about achieving a steady state where dynamism is the norm but actions and reactions are in perfect balance. It’s called “dynamic equilibrium” and you’ll need to pass Cloud Chemistry 101 to get there. When you were a kid you might have had a goldfish. It lived in a bowl of water and you fed it and if you were lucky it lived for quite a while. You certainly didn’t concern yourself with things like water quality (unless the water started turning green, of course) or pH or alkalinity or gas exchange rates. Circulation...
Claiming SSL is not computationally expensive is like saying gas is not expensive when you don’t have to drive to work every day.
My car is eight years old this year. It has less than 30,000 miles on it.
Yes, you heard that right, less than 30,000 miles. I don’t drive my car very often because, well, my commute is a short trip down two flights of stairs. I don’t need to go very far when I do drive it’s only ten miles or so round trip to the grocery store. So from my perspective, gas isn’t really very...
Mobile users. cloud computing . End-runs around IT security by developers. The trend has always existed, it’s just speeding up now. IT needs to take back control – and fast. But first IT needs the tools with which to do that…
Let’s ignore the horrible acting by Kevin Costner in “Robin Hood: Prince of Thieves” (I personally prefer Russell Crowe in the 2010 version but that’s me and unfortunately they cover two different periods of Robin Hood’s legendary life so we’re stuck with the lesser version) and let’s just focus on a couple key lines/concepts that are relevant to the...
Cloning. Boomeranging. Trojan clouds. Start up CloudPassage takes aim at emerging attack surfaces but it’s still more about process than it is product.
Before we go one paragraph further let’s start out by setting something straight: this is not a “cloud is insecure” or “cloud security – oh noes!” post.
Cloud is involved, yes, but it’s not necessarily the source of the problem - that would be virtualization and processes (or a lack thereof). Emerging attack methods and botnet propagation techniques can just as easily be problematic for a virtualization-based private cloud as they are for public cloud. That’s because the...
It used to be that “mobile” access implied “remote” access. That’s no longer true. As the variety of clients continue to expand along with the venues from which we users can access corporate resources the ability to intelligently enforce access-control policies also increases in strategic importance.
Every time we add a new access method in the enterprise we go through a period in which we expend a lot of time and energy trying to figure out how to control that access.
The consumerization of IT, for example, in which consumer-grade devices (gadgets) have been slowly but surely permeating every facet...
Both are taken for granted but provide vital services without which you and your digital presence would be lost. In the case of DNS, that should be taken literally. Mom. She’s always there, isn’t she? She kissed away your bumps and bruises. You treated her like Google before you had access to the web and, like Google, she came through every time you needed to write a report on butterflies or beetles or the pyramids at Giza. You asked her questions, she always had an answer. You didn’t spend as much...
It only takes one click ….
Alan Shimel posted a question as a blog post last week regarding the usefulness of anti-virus products on desktops.
I am pretty savvy, try to stay away from sites and links that I am not familiar with and don’t remember the last time I saw a warning from my AV product. I run scan regularly and patch when I am supposed to as well. So do I really need AV? If so is there any value to actually paying for one?
...
You can put into place technology to mitigate and defend against the effects, but you can’t stop the attack from happening
In the wake of attacks that disrupted service to many popular sites in December the question on many folks’ minds was: how do you prevent such an attack?
My answer to that question was – and continues to be – you can’t. You also can’t prevent an SQLi attack, or an XSS-based attack, or a DDoS directed at your DNS infrastructure. You cannot prevent an attack any more than you can prevent a burglar from targeting your house. You can make...
Use network-side scripting, of course!
While just about every developer and information security professional knows that a buffer-overflow exploit can result in the execution of malicious code not many truly grok the “why”. Fortunately, it’s not really necessary for either one to be able to walk through the execution stack and trace the byte-code as it overwrites registers and then jumps to execute it. They know it’s A Very Bad Thing™ and perhaps more importantly they know how to stop it.
SECONDARY and TERTIARY DEFENSE REQUIRED
The best place to prevent a buffer-overflow vulnerability is in the application code. Never...
Modern DoS attacks are distributed, diverse and cross the chasm that divides network components from application infrastructure. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.
The WikiLeaks attacks have taught us that information security strategies must evolve to keep up with the ever-changing attack vectors leveraged against web applications and web sites across the Internet. It’s no longer enough to protect against attack X or Y; it’s now necessary to protect against both – simultaneously.
Because of the role F5 BIG-IP solutions play in application delivery...
Many denial of service attacks boil down to the exploitation of how protocols work and are, in fact, very similar under the hood. Recognizing these themes is paramount to choosing the right solution to mitigate the attack.
When you look across the “class” of attacks used to perpetrate a denial of service attack you start seeing patterns. These patterns are important in determining what resources are being targeted because it provides the means to implement solutions that mitigate the consumption of those resources while under an attack. Once you recognize the underlying cause of a service outage due to an...
It’s not just that attacks are distributed, but that attacks are also diverse in nature – up and down the stack, at the same time.
If Anonymous has taught us anything it’s that the future of information security is in fending off attacks across the breadth and depth of the network stack – and the data center architecture – at the same time. Traditionally DDoS attacks are so-named because the clients are distributed; that is they take advantage of appearing to come from a variety of locations as a means to prevent detection and easy prevention. It’s about the...
It’s time to stop talking about imaginary trolls under the cloud bridge and start talking about the real security challenges that exist in cloud computing . I’ve been watching with interest a Twitter stream of information coming out of the Gartner Data Center conference this week related to security. There have been many interesting tidbits that, as expected, are primarily focused on cloud computing and virtualization. That’s no surprise as both are top of mind for IT practitioners, C-level execs, and the market in general. Another unsurprise would...
That’s “Improvise. Adapt. Overcome.” and it should be if it isn’t. The right tools can help you live up to that motto.
If you Google “Zeus Trojan” you’ll find a wealth of information. Unfortunately all that wealth appears to be draining into the bank accounts of miscreants leveraging the tenacious trojan to steal funds from organizations. Despite attempts by just about everyone to detect and prevent this nasty piece of software from infecting data centers around the world, it continues to mutate and wreak havoc across the globe.
September 28, 2010: Fake...
One of the universal truths about user adoption is that if performance degrades, they will kick and scream and ultimately destroy your project. Most VDI (Virtual Desktop Infrastructure) solutions today still make use of traditional thin-client protocols like RDP (Remote Desktop Protocol) as a means to enable communication between the client and their virtual desktop. Starting with VMware View 4.5, VMware introduced the high-performance PCoIP (PC over IP) communications protocol. While PCoIP is usually associated with rich media delivery, it is also useful in improving performance over distances. Such as the distances often associated with...
Three shall be the number thou shalt count, and the number of the counting shall be three. If you’re concerned about maintaining application availability, then these three rules of thumb shall be the number of the counting. Any less and you’re asking for trouble.
I like to glue animals to rocks and put disturbing amounts of
electricity and saltwater NEXT TO EACH OTHER
Last week I was checking out my saltwater reef when I noticed water lapping at the upper edges of the tank. Yeah, it was about to overflow. Somewhere in the system something had failed....
There are many logical fallacies, some more recognizable than others. Today’s lesson is brought to you by the logical fallacy “equivocation” and the term “multi-tenant”. Definition: Equivocation is sliding between two or more different meanings of a single word or phrase that is important to the argument. LOGIC DICTATES YOU SHOULD BACK UP and TRY AGAIN Say “cloud” and ask for a definition today and you’ll still get about 1.2 different answers for every three people in the room. It’s just a rather nebulous technology that’s hard to nail down and because it’s...
Automation implies integration. Integration implies access. Access requires authentication and authorization. That’s where things start to get interesting…
Discussions typically associated with application integration – particularly when integrating applications that are deployed off-premise – are going to happen in the infrastructure realm. It’s just a matter of time. That’s because many of the same challenges the world of enterprise application integration (EAI) has already suffered through (and is still suffering, right now, please send them a sympathy card) will rear up and meet the world of enterprise infrastructure integration head on (we’ll send you a sympathy card, as well)
I’m...
You may have heard the term “full-proxy architecture” or “dual stacks” thrown around in the context of infrastructure; here’s why that distinction is important. When the terms “acceleration” and “optimization” in relation to application delivery are used it often evokes images of compression, caching, and similar technologies. Sometimes it even brings up a discussion on protocol optimization, which is really where things get interesting. You see, caching and compression techniques are mostly about the content – the data – being transferred. Whether it’s making it smaller (and thus faster) or delivering it from...
Catching bees with honey(pots) means they’re preoccupied with something other than stinging you.
Pop quiz time…pencils ready? Go.
Is it good or bad to block malicious requests?
If your answer was “that depends on a lot of different factors” then pat yourself on the back. You done good.
It may seem counterintuitive to answer “it’s bad block malicious requests” but depending on the attacker and his goals it may very well be just that.
MISSION IMPOSSIBLE
No security solution is a 100% guaranteed to prevent a breach (unless we’re talking about scissors) and most are simply designed to...
Authentication is not enough. Authorization is a must for all integrated services – whether infrastructure components, applications, or management frameworks. If you’ve gone through the process of allowing an application access to Twitter or Facebook then you’ve probably seen OAuth in action. Last week a mini-storm was a brewing over such implementations, primarily regarding the “overly-broad permission structure” implemented by Twitter. Currently Twitter application developers are given 2 choices when registering their apps – they can either request “read-only access” or “read & write” access. For Twitter “read & write”...
Need it you do, even if know it you do not. But you will…heh. You will.
With all the attention being paid these days to VDI (virtual desktop infrastructure) and application virtualization and server virtualization and <insert type> virtualization it’s easy to forget about network-based application virtualization. But it’s the one virtualization technique you shouldn’t forget because it is a foundational technology upon which myriad other solutions will be enabled.
WHAT IS NETWORK-BASED APPLICATION VIRTUALIZATION?
This term may not be familiar to you but that’s because since its inception oh, more than a...
If you’re going to test performance of anything make sure it’s actually doing what it’s designed to do. Race cars go really fast too – but they don’t get you anywhere but around and around in a big circle.
Speed is important, especially in application delivery. We all know that the web monsters like Google and Amazon have studied and researched using real applications and users the impact of even a fraction of a second reduction in response time. It costs them money. Your users may not be quite so sensitive, but you’d rather not take the risk.
At...
“When crypto breaks, it usually breaks badly.” – Dennis Fisher, ThreatPost One of the most frustrating occurrences in information security is to discover that the security systems and technology being leveraged to protect applications and data is flawed: that it, itself, is vulnerable to attack and exploitation. This is particularly true in the cryptography realm, because as Dennis Fisher pointed out, when “crypto breaks, it usually breaks badly.” The “padding oracle” exploit is not, as the name implies, an attack on Oracle products. It is unfortunate for Oracle (as it has been for...
How about some integration, instead? A combined Oracle Access Manager and F5 BIG-IP Access Policy Manager solution is more scalable, more reliable, and easier to manage than any of the traditional three solutions. In the course of deploying applications it becomes necessary to ensure that only authenticated and authorized users have access to that application. Over time several solutions have been used to provide this capability, but each one comes with its own set of challenges. There is a fourth option, however, that’s arisen from understanding the limitations (and advantages) of each of...
There’s a rarely mentioned move from 1024-bit to 2048-bit key lengths in the security demesne … are you ready? More importantly, are your infrastructure and applications ready?
Everyone has likely read about DNSSEC and the exciting day on which the root servers were signed. In response to security concerns – and very valid ones at that – around the veracity of responses returned by DNS, which underpins the entire Internet, the practice of signing responses was introduced. Everyone who had anything to do with encryption and certificates said something about the initiative.
But less mentioned was a move to leverage longer...
Web 2.0 is about sharing content – user generated content. How do you enable that kind of collaboration without opening yourself up to the risk of infection? Turns out developers and administrators have a couple options…
The goal of many a miscreant is to get files onto your boxen. The second step after that is often remote execution or merely the hopes that someone else will look at/execute the file and spread chaos (and viruses) across your internal network. It’s a malicious intent, to be sure, and makes developing/deploying Web 2.0 applications a risky proposition. After all, Web 2.0...
The fallacy of security is that simplicity or availability of the solution has anything to do with time to resolution The announcement of the discovery of a way in which an old vulnerability might be exploited gained a lot of attention because of the potential impact on Web 2.0 and social networking sites that rely upon OAuth and OpenId, both of which use affected libraries. What was more interesting to me, however, was the admission by developers that the “fix” for this vulnerability would take only “six lines of code”, essentially implying a “quick fix.” ...
Defeating modern attacks – even distributed ones – isn’t the problem. The problem is detecting them in the first place. Last week researchers claimed they’ve discovered a way to exploit a basic security flaw that’s used in software that’s in high use by Web 2.0 applications to essentially support if not single-sign on then the next best thing – a single source of online identity. The prevalence of OAuth and OpenID across the Web 2.0 application realm could potentially be impacted (and not in a good way) if the flaw were to be exploited. Apparently a similar...
Detecting bots requires more than a simple USER_AGENT check today… Anyone who’s taken an artificial intelligence class in college or grad school knows all about the Turing Test. If you aren’t familiar with the concept, it was a “test proposed by Alan Turing in his 1950 paper Computing Machinery and Intelligence, which opens with the words: "I propose to consider the question, 'Can machines think?'" Traditional Turing Tests always involve three players, and the goal is to fool a human interviewer such that the interviewer cannot determine which of the two players is human and which...
Security risks are not always indicative of a lack of faith in the provider’s competency but about, well, risk. IDC recently conducted another cloud survey and [feign gasp of surprise here] security risks topped a healthy list of concerns that, according to the survey, outweighed cloud computing benefits. While growing numbers of businesses understand the advantages of embracing cloud computing, they are more concerned about the risks involved, as a survey released at a cloud conference in Silicon Valley shows. Respondents showed greater concern about the risks associated with cloud...
From mammoth hunting to military maneuvers to the datacenter, the key to success is control Recalling your elementary school lessons, you’ll probably remember that mammoths were large and dangerous creatures and like most animals they were quite deadly to primitive man. But yet man found a way to hunt them effectively and, we assume, with more than a small degree of success as we are still here and, well, the mammoths aren’t. Marx Cavemen PHOTO AND ART WORK : Fred R Hinojosa. The theory of how man successfully hunted ginormous creatures...
Scott Sanchez recently rebutted the argument that “Cloud Isn’t Secure Because It Is Multi-Tenant” by pointing out that “internal data centers are multi-tenant today, and you aren’t managing them as well as a public cloud is managed.” Despite the truth of that statement, his argument doesn’t take into consideration that multi-tenant cloud security isn’t just about the risks of the model, it’s about the neighbors. After all, there’s no such thing as a “renters association” that has the right to screen candidate tenants before they move in and start drinking beer on their shared, digital lawn in...
Virtual Desktop Infrastructure (VDI) is designed to deliver virtual, managed desktops in the corporate environment. There are many benefits to this model, especially when applied to traditionally high-maintenance desktops in call centers where users may not be technically savvy and insist on, oh, changing the fonts and background to be black and then calling the help desk to “fix” the problem*. Fixing the problem becomes a simple case of pushing the clean desktop to the user. But as VDI broadens its use from limited, internal deployments to off-site deployments supporting remote workers and disaster...
Extending identity management into the cloud
The focus of several questions I was asked at Interop involved identity management and application access in a cloud computing environment. This makes sense; not all applications that will be deployed in a public cloud environment are going to be “customer” or “market” focused. Some will certainly be departmental or business unit applications designed to be used by employees and thus require a certain amount of access control and integration with existing identity management stores, like Active Directory.
Interestingly F5 isn’t the only one...
The Internets are full of bad advice. Some is harmless, but some is downright dangerous, especially when it isn’t bad advice per se but rather shall we say, incomplete. Suggesting that you should only provide personal information to sites that use HTTPS is an example of the latter kind, because it implies that as long as a web application is using SSL for transport layer (network) security then it is safe to give up your private, personal, information. Because miscreants would never set up a phishing site and enable SSL. Because SSL somehow magically strips out malicious SQL...
Or in modern technical terms, don’t throw the software out with the hardware Geva Perry recently questioned one of Gartner’s core predictions for 2010, namely that “By 2012, 20 percent of businesses will own no IT assets.” Geva asks a few (very pertinent) questions regarding this prediction that got me re-reading the prediction. Let’s all look at it one more time, shall we? By 2012, 20 percent of businesses will own no IT assets. Several interrelated trends are driving the movement toward decreased IT hardware assets, such as virtualization, cloud-enabled services, and employees...
Never never trust content from a user, even if that user is another application.
Web 2.0 is as much about integration as it is interactivity. Thus it’s no surprise that an increasing number of organizations are including a feed of their recent Twitter activity on their site. But like any user generated content, and it is user generated after all, there’s a potential risk to the organization and its visitors from integrating such content without validation.
A recent political effort in the UK included launching a web site that integrated a live Twitter stream based on a particular hashtag....
Options to put a stop to the latest mutation of the Pushdo trojan The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them. I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This...
There are two kinds of privacy. Only one is the responsibility of vendors and providers to ensure. The rest is up to you.
Regulations like HIPAA and PCI-DSS are designed to guarantee that providers storing electronic personally identifiable information, or PII in the vernacular, is safeguarded against theft or accidental disclosure. They are not designed to provide consumers with any kind of “social gag” that might alert them they are offering up information or photographs the likes of which they may later regret sharing. While social networking sites like Facebook now provide “privacy” options that allow consumers to control who...
“Security” concerns continue to top every cloud computing related survey. This could be because, well, CIOs and organizations in general are concerned about security. It could be because the broader question of control over the infrastructure – including security – is never proffered as a reason for reluctance to jump into the fray known as cloud computing. Forty-nine percent of survey respondents from enterprises and 51 percent from small and medium-size businesses cited security and privacy concerns as their top reason for not using cloud computing. – Survey: Security Concerns Hinder Cloud Computing Adoption, NetCentric...
The current threat level is … the same as it was yesterday, and the day before, and will be tomorrow. We’ve all been in the airport before and heard the announcement. “The current threat level is orange. Blah blah blah blah yada yada whatever.” At least that’s what I hear today because I’ve become immune to the fact that “orange” means there’s a threat. There’s always a threat, it seems, and the announcement simply conveys what appears to many of us to be the “status quo.” We have effectively been desensitized to a “higher” threat level as...
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am...
The W3C specification now offers the means by which cross-origin AJAX requests can be achieved. Leveraging network and application network services in conjunction with application-specific logic improves security of allowing cross-domain requests and has some hidden efficiency benefits, too. The latest version of the W3C working draft on “Cross-Origin Resource Sharing” lays out the means by which a developer can use XMLHTTPRequest (in Firefox) or XDomainRequest (in IE8) to make cross-site requests. As is often the case, the solution is implemented by extending HTTP headers, which makes the specification completely backwards and cross-platform compatible even if the...
Using HTTP headers and default browser protocol handlers provides an opportunity to rediscover the usability and simplicity of the mailto protocol.
Over the last decade it's become unsafe to use the mailto protocol on a website due to e-mail harvesters and web scraping. No one wants to put their e-mail address out on teh Internets because two minutes after doing so you end up on a trillion SPAM lists and the next thing you know you're changing your e-mail address.
But people still wanted to share contact information, so it became common practice to spell out your e-mail address, such...
In the wake of Google’s revelation that its GMail service had been repeatedly attacked over the past year the search engine goliath announced it would be moving to HTTPS (HTTP over SSL) by default for all GMail connections. For users, nothing much changes except that all communication with GMail will be encrypted in transit using industry standard SSL, regardless of whether they ask for it by specifying HTTPS as a protocol or not. In the industry we generally refer to this as an HTTPS redirect, and it’s often implemented by automatically rewriting the URI using a load balancing /...
Being an efficient developer often means abstracting functionality such that a single function can be applied to a variety of uses across an application. Even as this decreases risk of errors, time to develop, and the attack surface necessary to secure the application it also makes implementing security more difficult. Over the holidays I had the opportunity to do some coding on my latest web application project. I won’t bore you with the details of what it is because it’s to support a hobby of Don and mine except to say that it’s running on a LAMP stack...
If it is, you might want to reconsider how you’re handling security, acceleration, and delivery of your applications before users “go postal” because of poor application performance. Sometimes wisdom comes from the most unexpected places. Take Jason Rahm’s status update on Facebook over the holidays. He’s got what is likely a common complaint regarding the delivery model of the US postal service: the inefficiency of where postage due is determined. Everyone has certainly had the experience of sending out a letter (you know, those paper things) and having it returned a week or more later...
We’ve been talking about “aligning IT with the business” since SOA first took legs but you rarely see CONCRETE EXMAPLES OF WHAT THAT REALLY MEANS. It sounds much more grand and lofty than it really is. To put it in layman’s terms, or at least take it out of marketing terms, aligning IT with the business is really nothing more than justifying or tying a particular IT investment or project to a specific business goal. What that means ultimately is that you, as an IT professional, must understand what those business goals are in the first place. Once...
Here comes St. Beaker and Santa Cloud … Twas two weeks past deployment and all through the house Echoed taps on a keyboard and clicks from a mouse The apps were all running inside VMware In hopes compute resources soon would they share. The dashboard showed statuses green and not red our admins had thoughts of going home in their heads The director was ready to it a wrap and I began...
An e-mail exchange with Kay Kinton, a spokesperson for Amazon, on the subject of Amazon and its recent run-in with the Zeus botnet controller, raised two very interesting and valid points. First, there is a fine balance that must be maintained by providers – cloud or traditional hosting – regarding the privacy of applications and data deployed by customers and monitoring/security. Second, Kay points out that it’s easier in the EC2 environment, at least, to disable botnets once they are discovered. The second point is one that appears on the surface to be true but I’m not entirely...
Cloud computing environments are just as suited to illegitimate use as legitimate use. Do providers need a way to separate the chaff from the wheat to reassure enterprise-class customers that they’re doing everything they can to eliminate the hijacking of cloud computing resources for nefarious purposes? One of the negatives of being the technology darling du jour is that every misstep, problem, and outage is immediately jumped on and reported everywhere. Amazon is particularly susceptible to such coverage, being recognized as one of the leaders in public cloud computing. Last week Amazon suffered yet another outage, true, but...
A recent tweet about a free, Linux-based XML Security suite reminded me that we do not opine on the subject of XML security and its importance enough. SOA has certainly been dethroned as the technology darling du jour by cloud computing and virtualization and with that forced abdication has unfortunately also come a reduction in the focus on XML and security. That’s particularly disturbing when you recognize that what’s replaced SOA – primarily WOA and RESTful APIs – exchange data primarily via one of two formats: XML and JSON. Whether you prefer one over the other is...
Should the enterprise standardize on JSON or XML as their lingua franca for Web 2.0 integration? Or should they use both as best fits the application?The decision impacts more than just integration – it resounds across the entire infrastructure and impacts everything from security to performance to availability of those applications.
One of the things a developer may or may not have control over when building enterprise applications is the format of the data used to communicate (integrate) with other applications. Increasingly services external to the enterprise are very Web 2.0 in that they provide HTTP-based APIs for integration that...
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Contingency School of Magic: Evocation Components: Somatic (requires gestures), Material (requires physical component) Saving Throw: None Spell Resistance: No Through the use of the contingency spell, application delivery professionals can dictate the conditions...
Certainly no one would seriously argue that web applications are fast enough for everyone. SPDY is one suggested solution, but what if we combine MapReduce and SPDY? Could we develop an architectural solution that leverages the best of SPDY without requiring entire infrastructure changes to support a new protocol? More than a couple of people have mentioned Map/Reduce as a means to achieve workload-level distribution of applications in a cloud computing environment. I hadn’t looked into Map/Reduce but finally decided that if that many very smart people were thinking it was a solution, I should look into it....
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
With any luck I am already AFK for a visit with Don’s mother and his family for Thanksgiving. And I’m really (really, I swear) going to be AFK (away from keyboard) for the entire time. Really. I’m serious this time, stop looking at me like that. Ever heard of “pre-publishing?” So while I’m out, you might need something to read. And if so, you might want something you can read two or three times because, well, it was that entertaining. If that’s the case, I highly recommend you give “BSOFH: Catering to a niche...
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged ...
Sometimes the best answer to a problem is to hit the reset button, but it should probably be the last answer, not the first. My cohort Pete Silva attended the 2009 Cloud Computing and Virtualization Conference & Expo and offered up a summary of one of the sessions he enjoyed (‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf)) in a recent post, “Virtualization is Real” One of the sessions I enjoyed was ‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief...
Whenever keys, certificates, and PKI enter into a security solution’s architecture the solution almost always becomes overly complex. DNSSEC is no exception, but it doesn’t have to be. DNS plays a role in every application on the Internet. It is the 411 of the Internet, essentially, without which the millions of users that don’t memorize the IP addresses associated with domain names would be utterly lost. But DNS is vulnerable to exploitation and has, in fact, been exploited in the past. Like any core infrastructure upon which we depend to conduct business, communicate, and generally entertain ourselves, it...
Google’s desire to speed up the web via a new protocol is laudable, but the SPDY protocol would require massive changes across networks to support ArsTechnica had an interesting article on one of Google’s latest projects, a new web protocol designed to replace HTTP called SPDY. SPDY uses a single SSL-encrypted session between a browser and a client, and then compresses all the request/response overhead. The requests, responses, and data are all put into frames that are multiplexed over the one connection. This makes it possible to send a higher-priority small file without...
The question is whether that impact is positive (a reduction) or negative (an increase). One of the biggest threats to data integrity is the introduction of malicious content via SQLi (SQL Injection) attacks. Traditional database access methods don’t provide a lot in the way of validating requests and like HTML the vagaries of SQL allow for myriad ways in which a statement can be constructed – and thus exploited. These vagaries, of course, are one factor in the reason why SQLi continues to plague applications and sites driven by user generated content. Another factor is certainly...
Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.
Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.
No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability...
While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. ...
Brute force attacks by spammers seeking easy access causing frustration for users with no resolution in sight At least once a day I see someone on Twitter broadcast that they have been “locked out of their Twitter account, temporarily.” A search for “locked out” returns thousands of tweets with a good mixture of some folks who’ve (amusingly) been locked out of apartments/houses/buildings and many that have been temporarily locked out of Twitter. The more technically savvy tweeters like Ray Valdes often mention that it is most likely the result of spammers and miscreants attempting to brute force their...
All the applause over Google’s Data Liberation Front announcement and blogs is making my head hurt. Or maybe that’s the lack of sleep. Either way, it’s disconcerting to me that so many bright people are choosing to make much of what is just a baby step – if that - toward a much larger, much more difficult goal. After all, data without an application to interpret and make use of it is about as useful as a Netbook without a network connection. There seems to suddenly be a lot of focus on “data” and the ability for...
A lack of ability in the cloud to distinguish illegitimate from legitimate requests could lead to unanticipated costs in the wake of an attack. How do you put a price on uptime and more importantly, who should pay for it? A “Perfect Cloud”, in my opinion, would be one in which the cloud provider’s infrastructure intelligently manages availability and performance such that when it’s necessary new instances of an application are launched to ensure meeting the customer’s defined performance and availability thresholds. You know, on-demand scalability that requires no manual intervention. It just “happens” the way it should....
Amazon’s ELB is an exciting mix of well-executed infrastructure 2.0 and the proper application of SOA, but it takes a lot of work to make anything infrastructure look that easy. The notion of Elastic Load Balancing, as recently brought to public attention by Amazon’s offering of the capability, is nothing new. The basic concept is pure Infrastructure 2.0 and the functionality offered via the API has long been available on several application delivery controllers for many years. In fact, looking through the options for Amazon’s offering leaves me feeling a bit, oh, 1999. As if load balancing hasn’t...
Malicious links served up in a browser are OS agnostic. They don’t care about the OS because the target is people, not technology. In response to the problem of links and trust put forth in a recent post a reader replies that the answer to “evil links” is simply to run Linux instead of Windows. the very best solution is to run something other than windows, and with ubuntu at its current state of maturity (and free-ness), why wouldn't you? I won’t disagree with the assessment of Ubuntu and its current...
There are few things in reality that can match The Gazebo in its ability to evoke fear and suspicion amongst gamers. The links on your web site may be one of them. In the history of Dungeons and Dragons there exists the urban legend known to all as “The Gazebo.” The Gazebo, over the years, has become a gaming euphemism for a situation in which people over analyze and overestimate the risk involved with interacting with some “thing”. In the case of The Gazebo the “thing” was, as you might guess, a gazebo. Yes, a simple wooden...
If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions. There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security...
Commoditized from solution to feature, from feature to function, load balancing is no longer a solution but rather a function of more advanced solutions that’s still an integral component for highly-available, fault-tolerant applications. Unashamed Parody of Monty Python and the Holy Grail Load balancers: I'm not dead. The Market: 'Ere, it says it’s not dead. Analysts: Yes it is. Load balancers: I'm not. The Market: It isn't. Analysts: Well, it will be soon,...
Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security A new law signed into effect in February 2009 requires that health care providers and organizations subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject. Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com...
There is no reason in a modern web application for users to see a white error page Sightings of the Twitter “fail whale” are, these days, fewer and far between. That’s a good thing. What’s interesting is that when it does show up, users are almost amused – as if they’re glad to see an old friend. I mean, come on; Twitter’s users named the whale, for crying out loud. How many of your users have a fan club for your error pages? Exactly. That’s the kind of reaction you want from HTTP errors but what you...
Why would miscreants bother with other routes when they can go straight to the source? People concerned with security of the cloud are generally worried about illegitimate access of the applications and data they may deploy in the cloud. That’s a valid concern given the needs of certain vertical industries to comply with privacy-focused regulations like HIPAA and PCI DSS. It’s an extremely valid concern given research and studies showing just how vulnerable most web sites and applications are. Hint: it’s more than you probably think it is, and it’s likely your application is vulnerable...
Cloud changes how we deliver applications but we’re still delivering applications With all the hype around cloud it’s easy to get caught up in deployment models and architectures and how much money it is/is not going to save us and, of course, with the cool factor that always surrounds such innovation. But when we get our heads too far up in the clouds we forget what we’re really doing: delivering applications. Whether it’s thin-client, fat-client, browser-based, client/server, three-tier, n-tier, traditional, .NET, Java EE, or cloud we are still all focused on the same goal: deliver an application. ...
Amazon EC2 and S3 are no more or less safe than they were last week despite hype around PCI compliance admission The recent admission/announcement that “Amazon EC2 is not PCI compliant” (this is not exactly true, but we’ll get to that later) has set off a rush of blogs, articles, and tweets that say, in effect, EC2 is no longer “safe”. But a lack of compliance does not make Amazon any more less safe than achieving PCI compliance makes a site more safe. Ladies and gentlemen of the Internet, I submit as proof the...
Back when I was developing GIS data translation software I had to fight security all the time. My desktop was so locked down I couldn’t compile the code because I didn’t even have appropriate permission to access the file system. Why? The guy in charge of security was so paranoid about someone doing something they shouldn’t that he completely missed the other half of his responsibility: ensuring people had access to data and information and systems to which they legitimately had a need to access. The potential impact of a data/security breach is so high these days that...
If they can take down Twitter via DNS, they can take your site, too.
Everyone is talking about the DoS (Denial of Service) attack on Twitter but most of them are missing what really happened. We’re so used to defending against HTTP-based DoS attacks that we’ve missed that it’s much easier to DoS a site based on the most critical piece of infrastructure on the Internet: DNS.
If you really wanted to take out a site like Twitter or Facebook using an HTTP-based DoS it would take a whole lot of serious traffic because those sites are designed and architected...
For some companies there’s never been a quantifiable financial impact from attacks. Cloud may change that. One of the frustrations with information security is that it’s always difficult – if not impossible – to quantify risk. Without the ability to quantify risk, it’s often the case that solutions that would mitigate the risk are left unimplemented because there’s no way to prove that the risk would turn into a breach, downtime, or other revenue impacting incident. Take the recent PayPal outage. Estimates are that the hour of downtime for the payment processing king might have...
The importance of a full-proxy architecture to application delivery, security, cloud computing, and virtualization People often describe the act of changing focus from one related but distinct task to another as “wearing two different hats.” Like moving from “developer” to “administrator” when you’re trying to deploy an application in a testing environment. You’re the developer, but then you have to “switch gears” and become a server administrator in order to ensure that the application server and its environment is configured properly before you can actually test the application you just wrote. But the metaphor...
Context, it’s always about context (or the lack thereof) I received a call recently that most people have probably received: our banking institution just wanted to verify that yes, that was Don or I making purchases at midnight in Wisconsin and then later in Indiana and yet again that afternoon in Ohio. That’s a good thing, I’m sure, as they’re just trying to watch our back. But later in the day I tried to make a purchase and was, horror of horrors, denied. The bank, when called, seemed matter-of-fact about the situation. The security flag hadn’t been...
Notice that isn’t a question, it’s a statement of fact Twitter is having a bad month. After it was blamed, albeit incorrectly, for a breach leading to the disclosure of both personal and corporate information via Google’s GMail and Apps, its apparent willingness to allow anyone and everyone access to a .htaccess file ostensibly protecting search.twitter.com made the rounds via, ironically, Twitter. This vulnerability at first glance appears fairly innocuous, until you realize just how much information can be placed in an .htaccess file that could have been exposed by this technical configuration faux...
The “replace” in “rip and replace” essentially means getting rid of old security problems and replacing them with new ones. Twittergate is (thankfully) behind us but it’s almost assuredly going to be the case that we’ll be rehashing this one for a while. This certainly isn’t the first time Twitter and security issues have clashed, and as in the past Twitter (and really any very public application in a similar situation) is the clear loser. And of course there comes the unsolicited advice offered regarding what Twitter needs to do to address its security issues. I am, of...
Is ESB just an expensive integration hub or is there more to the story than we heard… In the beginning, the ESB (Enterprise Service Bus), was marketed as much more than an integration technology. While the core of an ESB is certainly about connectivity between services, there was – and still is – so much more to an ESB than just integrating disparate protocols and technologies. Transformation, parallel processing, content based routing, and service orchestration are among the more useful and beneficial capabilities of an ESB. That’s why it was somewhat surprising to see the CTO of...
First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service. THE E-MAIL FACTOR What was compromised remains somewhat of a mystery. Following through the...
Apparently if you’re attending the USENIX Security conference (August 12-14, 2009, in Montreal, Canada) you can participate in the Security Grand Challenge. What is that, you ask? Here’s how the organizers describe it: The concept is very simple. The participant teams will have to use their science and technical skill to create an environment where a server can function with integrity and minimum required service levels even when under attack. On the day of the competition, each participant team will receive a virtualized server, with a number of services. The services might...
Without availability scalability is irrelevant I really enjoyed Jeff Atwood’s recent blog on Scaling Up vs Scaling Out, which includes a fairly detailed comparison of the costs associated with each approach to scalability. I enjoyed it because not only did it take into consideration the cost of hardware, but also remembered to include the cost of software licensing. And of course there’s the fact that Jeff’s site is focused on development and coding, and this discussion broadened the discussion into the realm of application networking – a demesne with which I am of course particularly fond. ...
Smashing Magazine has a cool “cheat sheet” for those interested in the ongoing development of HTML 5. Of interest is what’s being excluded and what’s new, as well as the length of time it’s going to take before HTML 5 is completely supported: XHTML is dead, long live HTML 5! According to W3C News Archive, XHTML 2 working group is expected to stop work end of 2009 and W3C is planning to increase resources on HTML 5 instead. And even although HTML 5 won’t be completely supported until 2022, it doesn’t mean that it won’t...
But browser support is only half the solution, don’t forget to implement the server-side, too. Clickjacking, unlike more well-known (and understood) web application vulnerabilities, has been given scant amount of attention despite its risks and its usage. Earlier this year, for example, it was used as an attack on Twitter, but never really discussed as being a clickjacking attack. Maybe because aside from rewriting applications to prevent CSRF (adding nonces and validation of the same to every page) or adding framekillers there just haven’t been many other options to prevent the attack technique from being utilized against...
The inclusion of a web server gives attackers clear line-of-sight to their targets There’s been a few articles on Opera Unite that have called into question the security of the decision to include a web server with the browser. Most of those discussions have centered around the ability to muck with files not intended by the host to be shared, but given current infection techniques there’s a far greater danger to Opera: mass injection attacks. As is often pointed out, current attack techniques are not necessarily targeting web sites per se, but are intended to infect...
One of the tasks of an enterprise architect is to design a framework atop which developers can implement and deploy applications consistently and easily. The consistency is important for internal business continuity and reuse; common objects, operations, and processes can be reused across applications to make development and integration with other applications and systems easier. Architects also often decide where functionality resides and design the base application infrastructure framework. Application server, identity management, messaging, and integration are all often a part of such architecture designs. Rarely does the architect concern him/herself with the network infrastructure, as that is...
I’m heading out today for a little time off and so you’ll have to make due the rest of the week without any (new) words of wisdom from me. I know, try to pull yourself together. You’ll live, really, and I’ll be back Monday with something interesting, promise. While I’m out, you might consider checking out some of the blogs I follow myself on a regular basis. They’re always full of interesting tidbits and stories and wisdom on a variety of subjects, and if you don’t follow them yourself you might find something interesting in them. ...
An interesting thing happened on the way to testing that application from the cloud. We broke the innertubes!
Pros and Cons of Application Testing in the Cloud
A firm wanted to test their application and need 100 browser instances. In the old days it would have required 100 machines -- that would be a massive undertaking. Even with hardware virtualization, you would need 5 to 10 machines, and there would be some complex configuration issues. However, by putting it all in the cloud, they were able to sync up 100 virtual instances of the browsers and take them down over...
If you haven’t got your (applications’) health, then you haven’t got anything If you happen to be unlucky enough to suffer from Celiac disease - gluten intolerance (wheat, barley, oats, rye) - then you know how important it is to keep gluten out of your diet. If you don’t know let’s just say that you have to keep even trace amounts of gluten out of your diet lest you suffer the consequences, which can be different from person to person, but none are pleasant. You feed off food; applications feed off requests and responses. Like those who...
Attackers say, we can go where we want to; we can leave our code behind… There’s probably a raid going on right now in Naxxramas and the attackers are almost certainly doing the Safety Dance. They probably learned the Safety Dance the same way I learned about it; from someone well-versed in its intricate steps. See, if you don’t know the Safety Dance and you come up against Heigan the Unclean, well… he’s not called Heigan the Unclean for nothing. You will not survive. Not even if you happen to have a Holocaust Cloak at...
There is a tendency to describe every device on a network as simply “the network” regardless of whether that device is dedicated to security, or application delivery (layer 4-7), or actual network (layer 2-3) functionality. It’s an artifact of aging data center architecture models that there exists an artificial line of demarcation between web and application servers and everything else. We used to depict “everything else” as a cloud, but with the emergence of The Cloud doing so simply complicates discussions even further because the “network” necessary to support a dynamic, on-demand operational model of computing like “cloud” is more...
It certainly sounds reasonable: networks are moving toward a perimeter-less model so the line between internal and external network is blurring. The introduction of cloud computing as overdraft protection (cloud-bursting) further blurs that perimeter such that it’s more a suggestion than a rule. That makes the idea of encrypting everything whether it’s on the internal or external network seem to be a reasonable one. Or does it? THE IMPACT ON OPERATIONS A recent post posits that PCI Standard or Not, Encrypting Internal Network Traffic is a Good Thing....
Let me ‘splain. No, there is too much. Let me sum up… This week has been full of interesting announcements: Microsoft warns of new server vulnerability McAfee blasted for having holes in its Web sites ‘Gumblar’ attacks spreading quickly There just aren’t enough words. But as they say, a picture is worth at least a thousand words, so I give you a pictoral response to this week’s interesting security happenings. ...
Greedy algorithms can result in the right solution in the end, but rarely do Don and I were having a discussion with our oldest son the other night about writing a chess program. There are myriad options for implementing the learning aspects of a chess program, but this is not a task for the timid. He ended up proposing a much simpler solution (this was just an exercise in ‘can I write it’, after all) that would have essentially used a very greedy algorithm; one that made a decision regarding the computer’s next move based on current state of...
Risks with virtualization is same as it ever was but different Hoff makes a good point about cloud security last month in his “The Cloud is a Fickle Mistress: DDoS&M” which was, if I may quote, “it’s the oldies and goodies that will come back to haunt us.” In other words, it’s the well-known, well-understood protocol-based attacks of uncloud computing that will be problematic for cloud computing. Security in virtualized environments and “the cloud” is indeed the “same as it ever was.” And yet it’s different, too. COLLATERAL DAMAGE While it’s...
Why architecture matters not only to security but to the future of cloud computing It seems the phrase “in the cloud”, sadly, has become a marketing-hyped euphemism for “the Internet.” I say sadly because the use of cloud to refer to every and any service delivered over the Internet dirties up the cloud. It obscures the intent of cloud computing and makes it difficult for technologists in the trenches to get a handle on how cloud – both external and internal – can provide benefits and solutions to problems they have right now. The very loose use of the...
Now I lay me down to sleep I pray that safe my apps will keep If hacked they be before I wake I pray it was a (DEV || OPS) mistake Technorati Tags: MacVittie,F5,Infosec,prayer,humor,application,security
Don’t confuse computing services with infrastructure services. We aren’t there yet. The subtext to the cloud computing discussion is subtle, as is the wont of subtext. But it is clear that underlying all the concerns about cloud computing is a common theme: control. Whether we’re talking about reliability or security, it should be obvious if you’re reading between and beneath the lines that the biggest stumbling block to massive cloud adoption is the issue of control. There is a very real difference between on-demand computing and on-demand infrastructure. What the cloud provides now, and is described...
If you’ve ever played Dungeons & Dragons for an extended period of time (a campaign, in the vernacular) you know that of all the classes available the cleric is the least likely to be chosen willingly. The cleric class is much like the kid picked last in kickball, chosen only because you have to, not because you want to. Okay, bard may actually be less likely but cleric is really, really close and you need a cleric, you don’t necessarily need a bard. The problem is that clerics can be somewhat dull to play but...
Hint: It doesn’t actually have much to do with technology or products In case you hadn’t heard, a startup called Panda Security has introduced a cloud-based anti-virus offering. This set off a rift of articles and blogs discussing the solution itself and what it means and some who questioned whether ‘anti-virus’ even meant ‘security’ in the first place. But I’m not interested in that discussion except to say that folks need to be more careful about distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted...
You can’t afford not to invest in technologies that leverage virtualization to improve data center efficiency There’s an old adage that says you have to spend money to make money. In the data center these days this is more true than ever. You have to invest in technology capable of making your data center more efficient in order to make (save) money. A recent Robert Half Technology survey of 1400 CIOs indicates that data center efficiency and virtualization are top priorities. *CIOs were asked, "Which areas, if any, will your IT department be investing...
How to defeat the ancient Jedi mind trick known as HTTP Request Smuggling. HTTP Request Smuggling (HRS) is not a new technique; it's been around since 2005. It takes advantage of architectures where one or more intermediaries (proxies) are deployed between the client and the server. HRS is can be used to poison web-caches and bypass security solutions such as web application firewalls as well as for the delivery of malicious payloads such as worms, viruses, and those used to exploit known vulnerabilities in web and application servers. The good news is that to exploit HRS,...
What is this application delivery thing that everyone keeps telling me I need? Isn’t that just the latest marketing term for load balancing? A recently released Forrester report concludes that “firms must develop and integrated strategy for application delivery.” We don’t disagree with that, or with the Gartner report claiming that “Load Balancing is Dead, Time to Focus on Application Delivery.” Application delivery is the next step in the logical evolutionary path from the tactical solution of load balancing to a comprehensive application infrastructure strategy. Forrester’s research indicates that despite the fact that application...
Open Source SSL Accelerator solution not as cost effective or well-performing as you think o3 Magazine has a write up on building an SSL accelerator out of Open Source components. It’s a compelling piece, to be sure, that was picked up by Slashdot and discussed extensively. If o3 had stuck to its original goal – building an SSL accelerator on the cheap – it might have had better luck making its arguments. But it wanted to compare an Open Source solution to a commercial solution. That makes sense, the author was trying to show value in...
Collaborating automatically via Web 2.0 APIs is a beautiful thing. I can update status on Twitter and it will automagically propagate to any number of social networking sites: Facebook. FriendFeed. MySpace. LinkedIn. If I had to do it all manually, I wouldn’t. But the automation of sharing, i.e. collaboration, between Web 2.0 social networking sites made possible by open APIs is just too easy to pass up.
The danger is, of course, that a single malicious message can just as quickly propagate through that same social network. The power of the API can quickly be turned against us.
A...
Those who cannot remember the past are condemned to repeat it. George Santayana, The Life of Reason, Volume 1, 1905 US (Spanish-born) philosopher (1863 - 1952) This oft repeated quote needs to be tweaked just a bit to be more applicable to web application security: Those who choose to ignore the past in favor of convenience are condemned to repeat it. Just how many times do developers have to “hack” a protocol that eventually becomes a wide-open hole through which even a blind miscreant...
Everyone wants web sites and applications to load faster, and there’s no shortage of folks out there looking for ways to do just that. But all that glitters is not gold, and not all acceleration techniques actually do all that much to accelerate the delivery of web sites and applications. Worse, some actual incur risk in the form of leaving servers open to exploitation. A BRIEF HISTORY Back in the day when HTTP was still evolving, someone came up with the concept of persistent connections. See, in ancient times – when administrators still wore togas in...
Are you protecting your Web 2.0 APIs? As Web 2.0 applications continue to expand from connected to collaborative via the extensive use of APIs it behooves developers and security professionals alike to consider the ramifications of providing this necessary yet dangerous avenue of entry into their application infrastructure. Too many discussions around web application security are focused on the user-facing web interfaces and ignore the potentially more dangerous collaboration-focused interfaces that make up the API. What makes them more dangerous is that they almost always offer an XML exchange format, but it is rare that...
Keep in mind that the time it takes a human being to blink is an average of 300 – 400 milliseconds. I just got back from Houston where I helped present on F5’s integration with web application security vendor White Hat, a.k.a. virtual patching. As almost always happens whenever anyone mentions the term web application firewall the question of performance degradation was raised. To be precise: How much will a web application firewall degrade performance? Not will it, but how much will it, degrade performance. My question back to those of you with the same...
If you do, you may find you’ll come out with a more effective security strategy Michael Santarcangelo shows why he’s known as a “human catalyst” with his strategy-focused effort to change the way we deal with security, Into the Breach. Michae'l’s basic premise is that a breach is a symptom of a larger problem and not the actual problem itself. Unlike most security-focused discussions today he tackles not the issue of electronic data and disclosure but the larger, more often ignored problem of low-tech breaches caused (often unintentionally) by people. Soylent security. It’s people,...
One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness. Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” From a recent FT.com article: ...
Ah, those were the days, weren’t they? When improving the security, reliability, and performance of applications over the LAN, over the WAN, and over the Internet meant you had to deploy many different solutions, each one standing on their own in the data center. When you had to learn how to configure and manage as many devices as you have fingers just to deliver a single business-critical application to users and customers across a wide variety of environments. When there really wasn’t an option because solutions weren’t unified, weren’t contextually aware, and were basically just a bunch of point solutions...
Ah, those were the days, weren’t they? When you needed a way to add security at several layers to your network and application network infrastructure but knew that implementing a solution capable of securing those pesky applications was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense...
Mike Fratto loves to tweak my nose about web application security. He’s been doing it for years, so it’s (d)evolved to a pretty standard set of arguments. But after he tweaked the debate again in a tweet, I got to thinking that part of the problem is the definition of web application security itself. Web application security is almost always about the application (I know, duh! but bear with me) and therefore about the developer and secure coding. Most of the programmatic errors that lead to vulnerabilities and subsequently exploitation can be traced to a lack of secure...
Ah, those were the days, weren’t they? When you needed a way to inspect data at the edge for application-specific issues but knew that implementing a solution capable of that kind of agility was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense of security and optimization...
One of the ways miscreants locate targets for mass SQL injection attacks that can leave your applications and data tainted with malware and malicious scripts is to simply seek out sites based on file extensions. Attackers know that .ASP and .PHP files are more often than not vulnerable to SQL injection attacks, and thus use Google and other search engines to seek out these target-rich environments by extension. Using a non-standard extension will not eliminate the risk of being targeted by a mass SQL injection attack, but it can significantly reduce the possibility because your site will automatically turn...
Owning the stack is important to security, but it’s also integral to a lot of other application delivery functions. And in some cases, it’s downright necessary. Hoff rants with his usual finesse in a recent posting with which I could not agree more. Not only does he point out the wrongness of equating SaaS with “The Cloud”, but points out the importance of “owning the stack” to security. Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings. Why? because they...
When folks are asked to define the cloud they invariably, somewhere in the definition, bring up the point that “users shouldn’t care” about the actual implementation. When asked to diagram a cloud environment we end up with two clouds: one representing the “big cloud” and one inside the cloud, representing the infrastructure we aren’t supposed to care about, usually with some pretty graphics representing applications being delivered out of the cloud over the Internet. But yet some of us need to care what’s obscured; the folks tasked with building out a cloud environment need to know what’s...
The year 2009 may be remembered as the year technologies died. First Anne Thomas Maynes of Burton Group declared SOA dead, and more recently Mark Fabbi of Gartner announced the death of load balancers. The difference in the obituaries is striking: Maynes declare an entire architectural model dead while Fabbi merely declares the death of a product, not the technological concepts behind it. Load balancers may be dead, the concept of load balancing lives on as a critical foundation for more advanced and valuable features available in the load balancer’s evolutionary replacement: the application delivery controller. Where Maynes gives...
One of the negatives of providing a solution is that it necessarily assumes there is a problem. That’s actually a fair assumption in the technology world, as problems seem to abound with no end in sight. What it also does, unfortunately, is lead to a culture within IT that is more tactical than strategic. Because IT is almost always trying to put out one fire or another, they rarely have time to think – and plan – ahead. Honestly, that’s the responsibility of directors and C-level executives, anyway. It’s their responsibility to look ahead not just months...
The issue of application state and connection management is one often discussed in the context of cloud computing and virtualized architectures. That's because the stress placed on existing static infrastructure due to the potentially rapid rate of change associated with dynamic application provisioning is enormous and, as is often pointed out, existing "infrastructure 1.0" systems are generally incapable of reacting in a timely fashion to such changes occurring in real-time. The most basic of concerns continues to revolve around IP address management. This is a favorite topic of Greg Ness at Infrastructure 2.0 and has been subsequently addressed...
While the vast majority of folks are still debating what is or is not "cloud computing", there are already groups trying to get ahead of the curve by focusing on broader issues such as interoperability and portability. Indeed, by addressing the potential pitfalls associated with portability across cloud implements now rather than later, it is hoped that there won't be as many problems when it does finally become an issue. There is a very real danger, however, that cloud interoperability and portability specifications will fail to address the very real need to include all the relevant application and...
You're standing in line at the bank when someone walks in. You instinctively look around and notice the newcomer is wearing sunglasses, and a hooded sweatshirt. His hands are both inside the pockets of his sweatshirt, even though it's warm inside. He chooses a line, and dances nervously from foot to foot, craning his neck to see to the front of the line. After a few minutes he leaves the line and chooses a new one, growing increasingly agitated at the wait. He keeps looking from the clock to the line to the tellers, and appears to be wringing his...
The webification of applications over the years has led to the belief that client-server as an architecture is dying. But very few beliefs about architecture have been further from the truth. The belief that client-server was dying - or at least falling out of favor - was primarily due to fact that early browser technology was used only as a presentation mechanism. The browser did not execute application logic, did not participate in application logic, and acted more or less like a television: smart enough to know how to display data but not smart enough to do anything...
Open APIs are a matter of much discussion these days in the realm of cloud computing. Just take a peek at the discussion that occurred via Twitter during Cloud Connect. Many folks were not shy in putting forth the notion that cloud portability and interoperability can only be achieved through accepted "cloud" standards. Integration standards, for the cloud, if you will. The fear is that any emerging standards will focus only the portability of the application or virtual container environment. They are likely to ignore the fact that no application is an island, and that the application delivery...
If you've taken the time to read over the "Top 25 Most Dangerous Programming Errors" published by SANS recently, you may (or may not) have noticed that CWE-319 is an anomaly, and should be easily picked out by developers and security professionals in a game called "which one of these is not like the other". CWE-319 If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many different nodes in transit to its final destination. Attackers can sniff this...
Zero-day IE exploits and general mass SQL injection attacks often overshadow potentially more dangerous exploits targeting lesser known applications and attack vectors. These exploits are potentially more dangerous because once proven through a successful attack on these lesser known applications they can rapidly be adapted to exploit more common web applications, and no one is specifically concentrating on preventing them because they're, well, not so obvious.
Recently, SANS Internet Storm Center featured a write up on attempts to exploit Roundcube Webmail via the HTTP Accept header. Such an attack is generally focused on exploitation of operating system, language, or environmental...
Everyone is buzzing and tweeting about the SANS Institute CWE/SANS Top 25 Most Dangerous Programming Errors, many heralding its release as the dawning of a new age in secure software. Indeed, it's already changing purchasing requirements. Byron Acohido reports that the Department of Defense is leading the way by "accepting only software tested and certified against the Top 25 flaws."
Some have begun speculating that this list obviates the need for web application firewalls (WAF). After all, if applications are secured against these vulnerabilities, there's no need for an additional layer of security.
Or is there?
Web application firewalls, while certainly...
One of the reasons behind some folks pushing for infrastructure as virtual appliances is the on-demand nature of a virtualized environment. When network and application delivery infrastructure hits capacity in terms of throughput - regardless of the layer of the application stack at which it happens - it's frustrating to think you might need to upgrade the hardware rather than just add more compute power via a virtual image. The truth is that this makes sense. The infrastructure supporting a virtualized environment should be elastic. It should be able to dynamically expand without requiring a new network architecture,...
Over the holidays Marcin @ tssci security offered up a python script for brute forcing the HTTP OPTIONS on directories. One of the reasons someone would want this information is because if you're (accidentally, of course) allowing PUT methods on any directories, someone can upload something nasty and potentially execute an attack. The availability of PUT makes XSS attacks simple even for script kiddies, for example. There may be legitimate reasons for enabling PUT on your servers, but you don't necessarily want the whole world to know that - just the applications that need the functionality....
VM sprawl is predicted to be one of the outcomes of early adoption and excitement over virtualization. Just as IT struggled to manage the explosion of PCs and servers across the enterprise, it is predicted that now it will need to find a way to manage the explosion of virtual machines as they pop up all over the enterprise with surprising alacrity. Part of the difficulty in managing new technology is the rogue deployment of X. Whether that's physical or virtual servers is irrelevant, the challenges associated with managing what are essentially unmanaged applications and servers deployed outside...
The INTERNET, December 18, 2008 - In what is certainly a blinding epiphany for some it was suddenly realized today that some applications are not well suited for deployment in a public cloud computing environment. With all the hype surrounding cloud computing these days it is easy to forget that there's more to enterprise applications than just some code and a database. It is a rare application that is an island in the data center, and the more integrated with other systems a given application is the less likely it is that the application will be well suited...
When an application is deployed into a high-availability production environment there are a number of interesting infrastructure related things need to happen. The application delivery controller (ADC) needs to be configured, DNS entries updated, storage allocated, and all the other associated network infrastructure must be prepared to handle the delivery of the new application. We have a BIG-IP. Do I have to talk to the network guys?? ...
You may recall a recent overview on network-side scripting that described a few uses of this technology integrated with application delivery controllers. With thousands of examples of the uses of network-side scripting it's hard to choose just one to adequately represent its potential. Luckily, we don't have to stick to just one. Viva la Internet! Based on the technical session the great network-side scripting guru Colin and I ran at SD Best Practices in October, I've pulled nine ways to use network-side scripting that can enhance the scalability, security, and performance of web applications into a presentation for...