|
| DevCentral > Weblogs > - Two Different Socks
|
security
There are 173 entries for the tag security
 |
There are two kinds of privacy. Only one is the responsibility of vendors and providers to ensure. The rest is up to you.
Regulations like HIPAA and PCI-DSS are designed to guarantee that providers storing electronic personally identifiable information, or PII in the vernacular, is safeguarded against theft or accidental disclosure. They are not designed to provide consumers with any kind of “social gag” that might alert them they are offering up information or photographs the likes of which they may later regret sharing. While social networking sites like Facebook now provide “privacy” options that allow consumers to control who...
posted @ Thursday, March 18, 2010 5:47 AM |
|
|
“Security” concerns continue to top every cloud computing related survey. This could be because, well, CIOs and organizations in general are concerned about security. It could be because the broader question of control over the infrastructure – including security – is never proffered as a reason for reluctance to jump into the fray known as cloud computing. Forty-nine percent of survey respondents from enterprises and 51 percent from small and medium-size businesses cited security and privacy concerns as their top reason for not using cloud computing. – Survey: Security Concerns Hinder Cloud Computing Adoption, NetCentric...
posted @ Monday, March 08, 2010 5:07 AM |
|
|
The current threat level is … the same as it was yesterday, and the day before, and will be tomorrow. We’ve all been in the airport before and heard the announcement. “The current threat level is orange. Blah blah blah blah yada yada whatever.” At least that’s what I hear today because I’ve become immune to the fact that “orange” means there’s a threat. There’s always a threat, it seems, and the announcement simply conveys what appears to many of us to be the “status quo.” We have effectively been desensitized to a “higher” threat level as...
posted @ Friday, March 05, 2010 3:48 AM |
|
|
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am...
posted @ Thursday, March 04, 2010 3:54 AM |
|
|
The W3C specification now offers the means by which cross-origin AJAX requests can be achieved. Leveraging network and application network services in conjunction with application-specific logic improves security of allowing cross-domain requests and has some hidden efficiency benefits, too. The latest version of the W3C working draft on “Cross-Origin Resource Sharing” lays out the means by which a developer can use XMLHTTPRequest (in Firefox) or XDomainRequest (in IE8) to make cross-site requests. As is often the case, the solution is implemented by extending HTTP headers, which makes the specification completely backwards and cross-platform compatible even if the...
posted @ Tuesday, February 09, 2010 4:18 AM |
|
|
Using HTTP headers and default browser protocol handlers provides an opportunity to rediscover the usability and simplicity of the mailto protocol.
Over the last decade it's become unsafe to use the mailto protocol on a website due to e-mail harvesters and web scraping. No one wants to put their e-mail address out on teh Internets because two minutes after doing so you end up on a trillion SPAM lists and the next thing you know you're changing your e-mail address.
But people still wanted to share contact information, so it became common practice to spell out your e-mail address, such...
posted @ Thursday, January 28, 2010 3:07 AM |
|
|
In the wake of Google’s revelation that its GMail service had been repeatedly attacked over the past year the search engine goliath announced it would be moving to HTTPS (HTTP over SSL) by default for all GMail connections. For users, nothing much changes except that all communication with GMail will be encrypted in transit using industry standard SSL, regardless of whether they ask for it by specifying HTTPS as a protocol or not. In the industry we generally refer to this as an HTTPS redirect, and it’s often implemented by automatically rewriting the URI using a load balancing /...
posted @ Friday, January 15, 2010 3:10 AM |
|
|
Being an efficient developer often means abstracting functionality such that a single function can be applied to a variety of uses across an application. Even as this decreases risk of errors, time to develop, and the attack surface necessary to secure the application it also makes implementing security more difficult. Over the holidays I had the opportunity to do some coding on my latest web application project. I won’t bore you with the details of what it is because it’s to support a hobby of Don and mine except to say that it’s running on a LAMP stack...
posted @ Thursday, January 07, 2010 3:58 AM |
|
|
If it is, you might want to reconsider how you’re handling security, acceleration, and delivery of your applications before users “go postal” because of poor application performance. Sometimes wisdom comes from the most unexpected places. Take Jason Rahm’s status update on Facebook over the holidays. He’s got what is likely a common complaint regarding the delivery model of the US postal service: the inefficiency of where postage due is determined. Everyone has certainly had the experience of sending out a letter (you know, those paper things) and having it returned a week or more later...
posted @ Wednesday, January 06, 2010 3:19 AM |
|
|
We’ve been talking about “aligning IT with the business” since SOA first took legs but you rarely see CONCRETE EXMAPLES OF WHAT THAT REALLY MEANS. It sounds much more grand and lofty than it really is. To put it in layman’s terms, or at least take it out of marketing terms, aligning IT with the business is really nothing more than justifying or tying a particular IT investment or project to a specific business goal. What that means ultimately is that you, as an IT professional, must understand what those business goals are in the first place. Once...
posted @ Wednesday, December 30, 2009 5:11 AM |
|
|
Here comes St. Beaker and Santa Cloud … Twas two weeks past deployment and all through the house Echoed taps on a keyboard and clicks from a mouse The apps were all running inside VMware In hopes compute resources soon would they share. The dashboard showed statuses green and not red our admins had thoughts of going home in their heads The director was ready to it a wrap and I began...
posted @ Wednesday, December 23, 2009 6:06 AM |
|
|
An e-mail exchange with Kay Kinton, a spokesperson for Amazon, on the subject of Amazon and its recent run-in with the Zeus botnet controller, raised two very interesting and valid points. First, there is a fine balance that must be maintained by providers – cloud or traditional hosting – regarding the privacy of applications and data deployed by customers and monitoring/security. Second, Kay points out that it’s easier in the EC2 environment, at least, to disable botnets once they are discovered. The second point is one that appears on the surface to be true but I’m not entirely...
posted @ Friday, December 18, 2009 3:16 AM |
|
|
Cloud computing environments are just as suited to illegitimate use as legitimate use. Do providers need a way to separate the chaff from the wheat to reassure enterprise-class customers that they’re doing everything they can to eliminate the hijacking of cloud computing resources for nefarious purposes? One of the negatives of being the technology darling du jour is that every misstep, problem, and outage is immediately jumped on and reported everywhere. Amazon is particularly susceptible to such coverage, being recognized as one of the leaders in public cloud computing. Last week Amazon suffered yet another outage, true, but...
posted @ Tuesday, December 15, 2009 3:42 AM |
|
|
A recent tweet about a free, Linux-based XML Security suite reminded me that we do not opine on the subject of XML security and its importance enough. SOA has certainly been dethroned as the technology darling du jour by cloud computing and virtualization and with that forced abdication has unfortunately also come a reduction in the focus on XML and security. That’s particularly disturbing when you recognize that what’s replaced SOA – primarily WOA and RESTful APIs – exchange data primarily via one of two formats: XML and JSON. Whether you prefer one over the other is...
posted @ Friday, December 11, 2009 3:51 AM |
|
|
Should the enterprise standardize on JSON or XML as their lingua franca for Web 2.0 integration? Or should they use both as best fits the application?The decision impacts more than just integration – it resounds across the entire infrastructure and impacts everything from security to performance to availability of those applications. One of the things a developer may or may not have control over when building enterprise applications is the format of the data used to communicate (integrate) with other applications. Increasingly services external to the enterprise are very Web 2.0 in that they provide HTTP-based APIs for...
posted @ Thursday, December 10, 2009 3:56 AM |
|
|
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Contingency School of Magic: Evocation Components: Somatic (requires gestures), Material (requires physical component) Saving Throw: None Spell Resistance: No Through the use of the contingency spell, application delivery professionals can dictate the conditions...
posted @ Monday, December 07, 2009 3:37 AM |
|
|
Certainly no one would seriously argue that web applications are fast enough for everyone. SPDY is one suggested solution, but what if we combine MapReduce and SPDY? Could we develop an architectural solution that leverages the best of SPDY without requiring entire infrastructure changes to support a new protocol? More than a couple of people have mentioned Map/Reduce as a means to achieve workload-level distribution of applications in a cloud computing environment. I hadn’t looked into Map/Reduce but finally decided that if that many very smart people were thinking it was a solution, I should look into it....
posted @ Wednesday, December 02, 2009 3:14 AM |
|
|
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
posted @ Monday, November 30, 2009 4:47 AM |
|
|
With any luck I am already AFK for a visit with Don’s mother and his family for Thanksgiving. And I’m really (really, I swear) going to be AFK (away from keyboard) for the entire time. Really. I’m serious this time, stop looking at me like that. Ever heard of “pre-publishing?” So while I’m out, you might need something to read. And if so, you might want something you can read two or three times because, well, it was that entertaining. If that’s the case, I highly recommend you give “BSOFH: Catering to a niche...
posted @ Wednesday, November 25, 2009 8:53 AM |
|
|
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Detect Invisible (Application) Stalkers School of Magic: Abjuration (Protective Spells) Components: Somatic (requires gestures), Material (requires physical component) Casting Time: special Range: Layers 3-7 Area: global Duration: Until discharged ...
posted @ Monday, November 23, 2009 3:58 AM |
|
|
Sometimes the best answer to a problem is to hit the reset button, but it should probably be the last answer, not the first. My cohort Pete Silva attended the 2009 Cloud Computing and Virtualization Conference & Expo and offered up a summary of one of the sessions he enjoyed (‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf)) in a recent post, “Virtualization is Real” One of the sessions I enjoyed was ‘Cloud Security - It's Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief...
posted @ Friday, November 20, 2009 4:15 AM |
|
|
Whenever keys, certificates, and PKI enter into a security solution’s architecture the solution almost always becomes overly complex. DNSSEC is no exception, but it doesn’t have to be. DNS plays a role in every application on the Internet. It is the 411 of the Internet, essentially, without which the millions of users that don’t memorize the IP addresses associated with domain names would be utterly lost. But DNS is vulnerable to exploitation and has, in fact, been exploited in the past. Like any core infrastructure upon which we depend to conduct business, communicate, and generally entertain ourselves, it...
posted @ Wednesday, November 18, 2009 3:44 AM |
|
|
Google’s desire to speed up the web via a new protocol is laudable, but the SPDY protocol would require massive changes across networks to support ArsTechnica had an interesting article on one of Google’s latest projects, a new web protocol designed to replace HTTP called SPDY. SPDY uses a single SSL-encrypted session between a browser and a client, and then compresses all the request/response overhead. The requests, responses, and data are all put into frames that are multiplexed over the one connection. This makes it possible to send a higher-priority small file without...
posted @ Tuesday, November 17, 2009 4:20 AM |
|
|
The question is whether that impact is positive (a reduction) or negative (an increase). One of the biggest threats to data integrity is the introduction of malicious content via SQLi (SQL Injection) attacks. Traditional database access methods don’t provide a lot in the way of validating requests and like HTML the vagaries of SQL allow for myriad ways in which a statement can be constructed – and thus exploited. These vagaries, of course, are one factor in the reason why SQLi continues to plague applications and sites driven by user generated content. Another factor is certainly...
posted @ Monday, November 16, 2009 4:52 AM |
|
|
Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.
Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.
No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability...
posted @ Friday, November 06, 2009 12:30 PM |
|
|
While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. ...
posted @ Friday, November 06, 2009 3:43 AM |
|
|
Brute force attacks by spammers seeking easy access causing frustration for users with no resolution in sight At least once a day I see someone on Twitter broadcast that they have been “locked out of their Twitter account, temporarily.” A search for “locked out” returns thousands of tweets with a good mixture of some folks who’ve (amusingly) been locked out of apartments/houses/buildings and many that have been temporarily locked out of Twitter. The more technically savvy tweeters like Ray Valdes often mention that it is most likely the result of spammers and miscreants attempting to brute force their...
posted @ Thursday, November 05, 2009 3:27 AM |
|
|
All the applause over Google’s Data Liberation Front announcement and blogs is making my head hurt. Or maybe that’s the lack of sleep. Either way, it’s disconcerting to me that so many bright people are choosing to make much of what is just a baby step – if that - toward a much larger, much more difficult goal. After all, data without an application to interpret and make use of it is about as useful as a Netbook without a network connection. There seems to suddenly be a lot of focus on “data” and the ability for...
posted @ Tuesday, October 20, 2009 3:14 AM |
|
|
A lack of ability in the cloud to distinguish illegitimate from legitimate requests could lead to unanticipated costs in the wake of an attack. How do you put a price on uptime and more importantly, who should pay for it? A “Perfect Cloud”, in my opinion, would be one in which the cloud provider’s infrastructure intelligently manages availability and performance such that when it’s necessary new instances of an application are launched to ensure meeting the customer’s defined performance and availability thresholds. You know, on-demand scalability that requires no manual intervention. It just “happens” the way it should....
posted @ Friday, October 16, 2009 3:15 AM |
|
|
Amazon’s ELB is an exciting mix of well-executed infrastructure 2.0 and the proper application of SOA, but it takes a lot of work to make anything infrastructure look that easy. The notion of Elastic Load Balancing, as recently brought to public attention by Amazon’s offering of the capability, is nothing new. The basic concept is pure Infrastructure 2.0 and the functionality offered via the API has long been available on several application delivery controllers for many years. In fact, looking through the options for Amazon’s offering leaves me feeling a bit, oh, 1999. As if load balancing hasn’t...
posted @ Thursday, October 15, 2009 3:50 AM |
|
|
Malicious links served up in a browser are OS agnostic. They don’t care about the OS because the target is people, not technology. In response to the problem of links and trust put forth in a recent post a reader replies that the answer to “evil links” is simply to run Linux instead of Windows. the very best solution is to run something other than windows, and with ubuntu at its current state of maturity (and free-ness), why wouldn't you? I won’t disagree with the assessment of Ubuntu and its current...
posted @ Friday, October 02, 2009 5:04 AM |
|
|
There are few things in reality that can match The Gazebo in its ability to evoke fear and suspicion amongst gamers. The links on your web site may be one of them. In the history of Dungeons and Dragons there exists the urban legend known to all as “The Gazebo.” The Gazebo, over the years, has become a gaming euphemism for a situation in which people over analyze and overestimate the risk involved with interacting with some “thing”. In the case of The Gazebo the “thing” was, as you might guess, a gazebo. Yes, a simple wooden...
posted @ Thursday, October 01, 2009 4:07 AM |
|
|
If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions. There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security...
posted @ Monday, September 28, 2009 3:50 AM |
|
|
Commoditized from solution to feature, from feature to function, load balancing is no longer a solution but rather a function of more advanced solutions that’s still an integral component for highly-available, fault-tolerant applications. Unashamed Parody of Monty Python and the Holy Grail Load balancers: I'm not dead. The Market: 'Ere, it says it’s not dead. Analysts: Yes it is. Load balancers: I'm not. The Market: It isn't. Analysts: Well, it will be soon,...
posted @ Thursday, September 17, 2009 4:00 AM |
|
|
Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security A new law signed into effect in February 2009 requires that health care providers and organizations subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject. Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com...
posted @ Wednesday, September 09, 2009 3:24 AM |
|
|
There is no reason in a modern web application for users to see a white error page Sightings of the Twitter “fail whale” are, these days, fewer and far between. That’s a good thing. What’s interesting is that when it does show up, users are almost amused – as if they’re glad to see an old friend. I mean, come on; Twitter’s users named the whale, for crying out loud. How many of your users have a fan club for your error pages? Exactly. That’s the kind of reaction you want from HTTP errors but what you...
posted @ Thursday, September 03, 2009 2:52 AM |
|
|
Why would miscreants bother with other routes when they can go straight to the source? People concerned with security of the cloud are generally worried about illegitimate access of the applications and data they may deploy in the cloud. That’s a valid concern given the needs of certain vertical industries to comply with privacy-focused regulations like HIPAA and PCI DSS. It’s an extremely valid concern given research and studies showing just how vulnerable most web sites and applications are. Hint: it’s more than you probably think it is, and it’s likely your application is vulnerable...
posted @ Tuesday, September 01, 2009 3:32 AM |
|
|
Cloud changes how we deliver applications but we’re still delivering applications With all the hype around cloud it’s easy to get caught up in deployment models and architectures and how much money it is/is not going to save us and, of course, with the cool factor that always surrounds such innovation. But when we get our heads too far up in the clouds we forget what we’re really doing: delivering applications. Whether it’s thin-client, fat-client, browser-based, client/server, three-tier, n-tier, traditional, .NET, Java EE, or cloud we are still all focused on the same goal: deliver an application. ...
posted @ Thursday, August 27, 2009 3:57 AM |
|
|
Amazon EC2 and S3 are no more or less safe than they were last week despite hype around PCI compliance admission The recent admission/announcement that “Amazon EC2 is not PCI compliant” (this is not exactly true, but we’ll get to that later) has set off a rush of blogs, articles, and tweets that say, in effect, EC2 is no longer “safe”. But a lack of compliance does not make Amazon any more less safe than achieving PCI compliance makes a site more safe. Ladies and gentlemen of the Internet, I submit as proof the...
posted @ Tuesday, August 18, 2009 3:29 AM |
|
|
Back when I was developing GIS data translation software I had to fight security all the time. My desktop was so locked down I couldn’t compile the code because I didn’t even have appropriate permission to access the file system. Why? The guy in charge of security was so paranoid about someone doing something they shouldn’t that he completely missed the other half of his responsibility: ensuring people had access to data and information and systems to which they legitimately had a need to access. The potential impact of a data/security breach is so high these days that...
posted @ Wednesday, August 12, 2009 3:45 AM |
|
|
If they can take down Twitter via DNS, they can take your site, too.
Everyone is talking about the DoS (Denial of Service) attack on Twitter but most of them are missing what really happened. We’re so used to defending against HTTP-based DoS attacks that we’ve missed that it’s much easier to DoS a site based on the most critical piece of infrastructure on the Internet: DNS.
If you really wanted to take out a site like Twitter or Facebook using an HTTP-based DoS it would take a whole lot of serious traffic because those sites are designed and architected...
posted @ Thursday, August 06, 2009 2:40 PM |
|
|
For some companies there’s never been a quantifiable financial impact from attacks. Cloud may change that. One of the frustrations with information security is that it’s always difficult – if not impossible – to quantify risk. Without the ability to quantify risk, it’s often the case that solutions that would mitigate the risk are left unimplemented because there’s no way to prove that the risk would turn into a breach, downtime, or other revenue impacting incident. Take the recent PayPal outage. Estimates are that the hour of downtime for the payment processing king might have...
posted @ Wednesday, August 05, 2009 3:37 AM |
|
|
The importance of a full-proxy architecture to application delivery, security, cloud computing, and virtualization People often describe the act of changing focus from one related but distinct task to another as “wearing two different hats.” Like moving from “developer” to “administrator” when you’re trying to deploy an application in a testing environment. You’re the developer, but then you have to “switch gears” and become a server administrator in order to ensure that the application server and its environment is configured properly before you can actually test the application you just wrote. But the metaphor...
posted @ Thursday, July 30, 2009 4:07 AM |
|
|
Context, it’s always about context (or the lack thereof) I received a call recently that most people have probably received: our banking institution just wanted to verify that yes, that was Don or I making purchases at midnight in Wisconsin and then later in Indiana and yet again that afternoon in Ohio. That’s a good thing, I’m sure, as they’re just trying to watch our back. But later in the day I tried to make a purchase and was, horror of horrors, denied. The bank, when called, seemed matter-of-fact about the situation. The security flag hadn’t been...
posted @ Wednesday, July 29, 2009 4:34 AM |
|
|
Notice that isn’t a question, it’s a statement of fact Twitter is having a bad month. After it was blamed, albeit incorrectly, for a breach leading to the disclosure of both personal and corporate information via Google’s GMail and Apps, its apparent willingness to allow anyone and everyone access to a .htaccess file ostensibly protecting search.twitter.com made the rounds via, ironically, Twitter. This vulnerability at first glance appears fairly innocuous, until you realize just how much information can be placed in an .htaccess file that could have been exposed by this technical configuration faux...
posted @ Tuesday, July 21, 2009 3:28 AM |
|
|
The “replace” in “rip and replace” essentially means getting rid of old security problems and replacing them with new ones. Twittergate is (thankfully) behind us but it’s almost assuredly going to be the case that we’ll be rehashing this one for a while. This certainly isn’t the first time Twitter and security issues have clashed, and as in the past Twitter (and really any very public application in a similar situation) is the clear loser. And of course there comes the unsolicited advice offered regarding what Twitter needs to do to address its security issues. I am, of...
posted @ Monday, July 20, 2009 3:43 AM |
|
|
Is ESB just an expensive integration hub or is there more to the story than we heard… In the beginning, the ESB (Enterprise Service Bus), was marketed as much more than an integration technology. While the core of an ESB is certainly about connectivity between services, there was – and still is – so much more to an ESB than just integrating disparate protocols and technologies. Transformation, parallel processing, content based routing, and service orchestration are among the more useful and beneficial capabilities of an ESB. That’s why it was somewhat surprising to see the CTO of...
posted @ Friday, July 17, 2009 3:26 AM |
|
|
First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service. THE E-MAIL FACTOR What was compromised remains somewhat of a mystery. Following through the...
posted @ Thursday, July 16, 2009 2:58 AM |
|
|
Apparently if you’re attending the USENIX Security conference (August 12-14, 2009, in Montreal, Canada) you can participate in the Security Grand Challenge. What is that, you ask? Here’s how the organizers describe it: The concept is very simple. The participant teams will have to use their science and technical skill to create an environment where a server can function with integrity and minimum required service levels even when under attack. On the day of the competition, each participant team will receive a virtualized server, with a number of services. The services might...
posted @ Tuesday, July 14, 2009 2:59 AM |
|
|
Without availability scalability is irrelevant I really enjoyed Jeff Atwood’s recent blog on Scaling Up vs Scaling Out, which includes a fairly detailed comparison of the costs associated with each approach to scalability. I enjoyed it because not only did it take into consideration the cost of hardware, but also remembered to include the cost of software licensing. And of course there’s the fact that Jeff’s site is focused on development and coding, and this discussion broadened the discussion into the realm of application networking – a demesne with which I am of course particularly fond. ...
posted @ Friday, July 10, 2009 3:38 AM |
|
|
Smashing Magazine has a cool “cheat sheet” for those interested in the ongoing development of HTML 5. Of interest is what’s being excluded and what’s new, as well as the length of time it’s going to take before HTML 5 is completely supported: XHTML is dead, long live HTML 5! According to W3C News Archive, XHTML 2 working group is expected to stop work end of 2009 and W3C is planning to increase resources on HTML 5 instead. And even although HTML 5 won’t be completely supported until 2022, it doesn’t mean that it won’t...
posted @ Tuesday, July 07, 2009 4:06 AM |
|
|
But browser support is only half the solution, don’t forget to implement the server-side, too. Clickjacking, unlike more well-known (and understood) web application vulnerabilities, has been given scant amount of attention despite its risks and its usage. Earlier this year, for example, it was used as an attack on Twitter, but never really discussed as being a clickjacking attack. Maybe because aside from rewriting applications to prevent CSRF (adding nonces and validation of the same to every page) or adding framekillers there just haven’t been many other options to prevent the attack technique from being utilized against...
posted @ Tuesday, June 23, 2009 3:27 AM |
|
|
The inclusion of a web server gives attackers clear line-of-sight to their targets There’s been a few articles on Opera Unite that have called into question the security of the decision to include a web server with the browser. Most of those discussions have centered around the ability to muck with files not intended by the host to be shared, but given current infection techniques there’s a far greater danger to Opera: mass injection attacks. As is often pointed out, current attack techniques are not necessarily targeting web sites per se, but are intended to infect...
posted @ Friday, June 19, 2009 3:56 AM |
|
|
One of the tasks of an enterprise architect is to design a framework atop which developers can implement and deploy applications consistently and easily. The consistency is important for internal business continuity and reuse; common objects, operations, and processes can be reused across applications to make development and integration with other applications and systems easier. Architects also often decide where functionality resides and design the base application infrastructure framework. Application server, identity management, messaging, and integration are all often a part of such architecture designs. Rarely does the architect concern him/herself with the network infrastructure, as that is...
posted @ Wednesday, June 17, 2009 4:07 AM |
|
|
I’m heading out today for a little time off and so you’ll have to make due the rest of the week without any (new) words of wisdom from me. I know, try to pull yourself together. You’ll live, really, and I’ll be back Monday with something interesting, promise. While I’m out, you might consider checking out some of the blogs I follow myself on a regular basis. They’re always full of interesting tidbits and stories and wisdom on a variety of subjects, and if you don’t follow them yourself you might find something interesting in them. ...
posted @ Wednesday, June 10, 2009 4:25 AM |
|
|
An interesting thing happened on the way to testing that application from the cloud. We broke the innertubes!
Pros and Cons of Application Testing in the Cloud
A firm wanted to test their application and need 100 browser instances. In the old days it would have required 100 machines -- that would be a massive undertaking. Even with hardware virtualization, you would need 5 to 10 machines, and there would be some complex configuration issues. However, by putting it all in the cloud, they were able to sync up 100 virtual instances of the browsers and take them down over...
posted @ Wednesday, June 10, 2009 3:24 AM |
|
|
If you haven’t got your (applications’) health, then you haven’t got anything If you happen to be unlucky enough to suffer from Celiac disease - gluten intolerance (wheat, barley, oats, rye) - then you know how important it is to keep gluten out of your diet. If you don’t know let’s just say that you have to keep even trace amounts of gluten out of your diet lest you suffer the consequences, which can be different from person to person, but none are pleasant. You feed off food; applications feed off requests and responses. Like those who...
posted @ Friday, June 05, 2009 4:08 AM |
|
|
Attackers say, we can go where we want to; we can leave our code behind… There’s probably a raid going on right now in Naxxramas and the attackers are almost certainly doing the Safety Dance. They probably learned the Safety Dance the same way I learned about it; from someone well-versed in its intricate steps. See, if you don’t know the Safety Dance and you come up against Heigan the Unclean, well… he’s not called Heigan the Unclean for nothing. You will not survive. Not even if you happen to have a Holocaust Cloak at...
posted @ Wednesday, June 03, 2009 3:58 AM |
|
|
There is a tendency to describe every device on a network as simply “the network” regardless of whether that device is dedicated to security, or application delivery (layer 4-7), or actual network (layer 2-3) functionality. It’s an artifact of aging data center architecture models that there exists an artificial line of demarcation between web and application servers and everything else. We used to depict “everything else” as a cloud, but with the emergence of The Cloud doing so simply complicates discussions even further because the “network” necessary to support a dynamic, on-demand operational model of computing like “cloud” is more...
posted @ Friday, May 29, 2009 3:49 AM |
|
|
It certainly sounds reasonable: networks are moving toward a perimeter-less model so the line between internal and external network is blurring. The introduction of cloud computing as overdraft protection (cloud-bursting) further blurs that perimeter such that it’s more a suggestion than a rule. That makes the idea of encrypting everything whether it’s on the internal or external network seem to be a reasonable one. Or does it? THE IMPACT ON OPERATIONS A recent post posits that PCI Standard or Not, Encrypting Internal Network Traffic is a Good Thing....
posted @ Thursday, May 28, 2009 4:02 AM |
|
|
Let me ‘splain. No, there is too much. Let me sum up… This week has been full of interesting announcements: Microsoft warns of new server vulnerability McAfee blasted for having holes in its Web sites ‘Gumblar’ attacks spreading quickly There just aren’t enough words. But as they say, a picture is worth at least a thousand words, so I give you a pictoral response to this week’s interesting security happenings. ...
posted @ Thursday, May 21, 2009 4:22 PM |
|
|
Greedy algorithms can result in the right solution in the end, but rarely do Don and I were having a discussion with our oldest son the other night about writing a chess program. There are myriad options for implementing the learning aspects of a chess program, but this is not a task for the timid. He ended up proposing a much simpler solution (this was just an exercise in ‘can I write it’, after all) that would have essentially used a very greedy algorithm; one that made a decision regarding the computer’s next move based on current state of...
posted @ Monday, May 18, 2009 3:16 AM |
|
|
Risks with virtualization is same as it ever was but different Hoff makes a good point about cloud security last month in his “The Cloud is a Fickle Mistress: DDoS&M” which was, if I may quote, “it’s the oldies and goodies that will come back to haunt us.” In other words, it’s the well-known, well-understood protocol-based attacks of uncloud computing that will be problematic for cloud computing. Security in virtualized environments and “the cloud” is indeed the “same as it ever was.” And yet it’s different, too. COLLATERAL DAMAGE While it’s...
posted @ Tuesday, May 12, 2009 3:45 AM |
|
|
Why architecture matters not only to security but to the future of cloud computing It seems the phrase “in the cloud”, sadly, has become a marketing-hyped euphemism for “the Internet.” I say sadly because the use of cloud to refer to every and any service delivered over the Internet dirties up the cloud. It obscures the intent of cloud computing and makes it difficult for technologists in the trenches to get a handle on how cloud – both external and internal – can provide benefits and solutions to problems they have right now. The very loose use of the...
posted @ Monday, May 11, 2009 3:38 AM |
|
|
Now I lay me down to sleep I pray that safe my apps will keep If hacked they be before I wake I pray it was a (DEV || OPS) mistake Technorati Tags: MacVittie,F5,Infosec,prayer,humor,application,security
posted @ Thursday, May 07, 2009 9:40 AM |
|
|
Don’t confuse computing services with infrastructure services. We aren’t there yet. The subtext to the cloud computing discussion is subtle, as is the wont of subtext. But it is clear that underlying all the concerns about cloud computing is a common theme: control. Whether we’re talking about reliability or security, it should be obvious if you’re reading between and beneath the lines that the biggest stumbling block to massive cloud adoption is the issue of control. There is a very real difference between on-demand computing and on-demand infrastructure. What the cloud provides now, and is described...
posted @ Thursday, May 07, 2009 3:11 AM |
|
|
If you’ve ever played Dungeons & Dragons for an extended period of time (a campaign, in the vernacular) you know that of all the classes available the cleric is the least likely to be chosen willingly. The cleric class is much like the kid picked last in kickball, chosen only because you have to, not because you want to. Okay, bard may actually be less likely but cleric is really, really close and you need a cleric, you don’t necessarily need a bard. The problem is that clerics can be somewhat dull to play but...
posted @ Tuesday, May 05, 2009 3:38 AM |
|
|
Hint: It doesn’t actually have much to do with technology or products In case you hadn’t heard, a startup called Panda Security has introduced a cloud-based anti-virus offering. This set off a rift of articles and blogs discussing the solution itself and what it means and some who questioned whether ‘anti-virus’ even meant ‘security’ in the first place. But I’m not interested in that discussion except to say that folks need to be more careful about distinguish “cloud security” from “cloud-based security”. The former is about securing the cloud and its infrastructure, the latter about services hosted...
posted @ Monday, May 04, 2009 3:37 AM |
|
|
You can’t afford not to invest in technologies that leverage virtualization to improve data center efficiency There’s an old adage that says you have to spend money to make money. In the data center these days this is more true than ever. You have to invest in technology capable of making your data center more efficient in order to make (save) money. A recent Robert Half Technology survey of 1400 CIOs indicates that data center efficiency and virtualization are top priorities. *CIOs were asked, "Which areas, if any, will your IT department be investing...
posted @ Tuesday, April 28, 2009 3:00 AM |
|
|
How to defeat the ancient Jedi mind trick known as HTTP Request Smuggling. HTTP Request Smuggling (HRS) is not a new technique; it's been around since 2005. It takes advantage of architectures where one or more intermediaries (proxies) are deployed between the client and the server. HRS is can be used to poison web-caches and bypass security solutions such as web application firewalls as well as for the delivery of malicious payloads such as worms, viruses, and those used to exploit known vulnerabilities in web and application servers. The good news is that to exploit HRS,...
posted @ Thursday, April 23, 2009 3:39 AM |
|
|
What is this application delivery thing that everyone keeps telling me I need? Isn’t that just the latest marketing term for load balancing? A recently released Forrester report concludes that “firms must develop and integrated strategy for application delivery.” We don’t disagree with that, or with the Gartner report claiming that “Load Balancing is Dead, Time to Focus on Application Delivery.” Application delivery is the next step in the logical evolutionary path from the tactical solution of load balancing to a comprehensive application infrastructure strategy. Forrester’s research indicates that despite the fact that application...
posted @ Monday, April 20, 2009 3:40 AM |
|
|
Open Source SSL Accelerator solution not as cost effective or well-performing as you think o3 Magazine has a write up on building an SSL accelerator out of Open Source components. It’s a compelling piece, to be sure, that was picked up by Slashdot and discussed extensively. If o3 had stuck to its original goal – building an SSL accelerator on the cheap – it might have had better luck making its arguments. But it wanted to compare an Open Source solution to a commercial solution. That makes sense, the author was trying to show value in...
posted @ Friday, April 17, 2009 4:56 AM |
|
|
Collaborating automatically via Web 2.0 APIs is a beautiful thing. I can update status on Twitter and it will automagically propagate to any number of social networking sites: Facebook. FriendFeed. MySpace. LinkedIn. If I had to do it all manually, I wouldn’t. But the automation of sharing, i.e. collaboration, between Web 2.0 social networking sites made possible by open APIs is just too easy to pass up.
The danger is, of course, that a single malicious message can just as quickly propagate through that same social network. The power of the API can quickly be turned against us.
A...
posted @ Monday, April 13, 2009 4:05 AM |
|
|
Those who cannot remember the past are condemned to repeat it. George Santayana, The Life of Reason, Volume 1, 1905 US (Spanish-born) philosopher (1863 - 1952) This oft repeated quote needs to be tweaked just a bit to be more applicable to web application security: Those who choose to ignore the past in favor of convenience are condemned to repeat it. Just how many times do developers have to “hack” a protocol that eventually becomes a wide-open hole through which even a blind miscreant...
posted @ Tuesday, April 07, 2009 9:25 AM |
|
|
Everyone wants web sites and applications to load faster, and there’s no shortage of folks out there looking for ways to do just that. But all that glitters is not gold, and not all acceleration techniques actually do all that much to accelerate the delivery of web sites and applications. Worse, some actual incur risk in the form of leaving servers open to exploitation. A BRIEF HISTORY Back in the day when HTTP was still evolving, someone came up with the concept of persistent connections. See, in ancient times – when administrators still wore togas in...
posted @ Thursday, April 02, 2009 3:30 AM |
|
|
Are you protecting your Web 2.0 APIs? As Web 2.0 applications continue to expand from connected to collaborative via the extensive use of APIs it behooves developers and security professionals alike to consider the ramifications of providing this necessary yet dangerous avenue of entry into their application infrastructure. Too many discussions around web application security are focused on the user-facing web interfaces and ignore the potentially more dangerous collaboration-focused interfaces that make up the API. What makes them more dangerous is that they almost always offer an XML exchange format, but it is rare that...
posted @ Wednesday, April 01, 2009 3:46 AM |
|
|
Keep in mind that the time it takes a human being to blink is an average of 300 – 400 milliseconds. I just got back from Houston where I helped present on F5’s integration with web application security vendor White Hat, a.k.a. virtual patching. As almost always happens whenever anyone mentions the term web application firewall the question of performance degradation was raised. To be precise: How much will a web application firewall degrade performance? Not will it, but how much will it, degrade performance. My question back to those of you with the same...
posted @ Monday, March 30, 2009 3:21 AM |
|
|
If you do, you may find you’ll come out with a more effective security strategy Michael Santarcangelo shows why he’s known as a “human catalyst” with his strategy-focused effort to change the way we deal with security, Into the Breach. Michae'l’s basic premise is that a breach is a symptom of a larger problem and not the actual problem itself. Unlike most security-focused discussions today he tackles not the issue of electronic data and disclosure but the larger, more often ignored problem of low-tech breaches caused (often unintentionally) by people. Soylent security. It’s people,...
posted @ Thursday, March 26, 2009 3:58 PM |
|
|
One of the greatest strengths of the Cloud is that, like the Internet, it knows no boundaries. It crosses industry and international boundaries as if they do not exist. But as is often the case, your greatest strength can also be your greatest weakness. Take Google, for example, and it’s myriad Cloud-based application offerings. A new complaint made by Epic (Electronic Privacy Information Center) to the US Federal Trade Commission urges the regulatory agency to “consider shutting down Google’s services until it establishes safeguards for protecting confidential information.” From a recent FT.com article: ...
posted @ Thursday, March 26, 2009 5:47 AM |
|
|
Ah, those were the days, weren’t they? When improving the security, reliability, and performance of applications over the LAN, over the WAN, and over the Internet meant you had to deploy many different solutions, each one standing on their own in the data center. When you had to learn how to configure and manage as many devices as you have fingers just to deliver a single business-critical application to users and customers across a wide variety of environments. When there really wasn’t an option because solutions weren’t unified, weren’t contextually aware, and were basically just a bunch of point solutions...
posted @ Monday, March 23, 2009 3:21 AM |
|
|
Ah, those were the days, weren’t they? When you needed a way to add security at several layers to your network and application network infrastructure but knew that implementing a solution capable of securing those pesky applications was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense...
posted @ Monday, March 16, 2009 3:39 AM |
|
|
Mike Fratto loves to tweak my nose about web application security. He’s been doing it for years, so it’s (d)evolved to a pretty standard set of arguments. But after he tweaked the debate again in a tweet, I got to thinking that part of the problem is the definition of web application security itself. Web application security is almost always about the application (I know, duh! but bear with me) and therefore about the developer and secure coding. Most of the programmatic errors that lead to vulnerabilities and subsequently exploitation can be traced to a lack of secure...
posted @ Wednesday, March 11, 2009 3:21 AM |
|
|
Ah, those were the days, weren’t they? When you needed a way to inspect data at the edge for application-specific issues but knew that implementing a solution capable of that kind of agility was more than likely going to end up with poor performance and angry users. When you needed to add something to secure applications and the network against the growing wave of attacks but knew that doing so would negatively impact performance. It was a tough choice, and most people ended up going the route of maintaining application performance at the expense of security and optimization...
posted @ Monday, March 09, 2009 4:30 AM |
|
|
One of the ways miscreants locate targets for mass SQL injection attacks that can leave your applications and data tainted with malware and malicious scripts is to simply seek out sites based on file extensions. Attackers know that .ASP and .PHP files are more often than not vulnerable to SQL injection attacks, and thus use Google and other search engines to seek out these target-rich environments by extension. Using a non-standard extension will not eliminate the risk of being targeted by a mass SQL injection attack, but it can significantly reduce the possibility because your site will automatically turn...
posted @ Thursday, March 05, 2009 3:46 AM |
|
|
Owning the stack is important to security, but it’s also integral to a lot of other application delivery functions. And in some cases, it’s downright necessary. Hoff rants with his usual finesse in a recent posting with which I could not agree more. Not only does he point out the wrongness of equating SaaS with “The Cloud”, but points out the importance of “owning the stack” to security. Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings. Why? because they...
posted @ Wednesday, February 25, 2009 3:13 AM |
|
|
When folks are asked to define the cloud they invariably, somewhere in the definition, bring up the point that “users shouldn’t care” about the actual implementation. When asked to diagram a cloud environment we end up with two clouds: one representing the “big cloud” and one inside the cloud, representing the infrastructure we aren’t supposed to care about, usually with some pretty graphics representing applications being delivered out of the cloud over the Internet. But yet some of us need to care what’s obscured; the folks tasked with building out a cloud environment need to know what’s...
posted @ Wednesday, February 18, 2009 4:14 AM |
|
|
The year 2009 may be remembered as the year technologies died. First Anne Thomas Maynes of Burton Group declared SOA dead, and more recently Mark Fabbi of Gartner announced the death of load balancers. The difference in the obituaries is striking: Maynes declare an entire architectural model dead while Fabbi merely declares the death of a product, not the technological concepts behind it. Load balancers may be dead, the concept of load balancing lives on as a critical foundation for more advanced and valuable features available in the load balancer’s evolutionary replacement: the application delivery controller. Where Maynes gives...
posted @ Monday, February 16, 2009 5:10 AM |
|
|
One of the negatives of providing a solution is that it necessarily assumes there is a problem. That’s actually a fair assumption in the technology world, as problems seem to abound with no end in sight. What it also does, unfortunately, is lead to a culture within IT that is more tactical than strategic. Because IT is almost always trying to put out one fire or another, they rarely have time to think – and plan – ahead. Honestly, that’s the responsibility of directors and C-level executives, anyway. It’s their responsibility to look ahead not just months...
posted @ Thursday, February 12, 2009 3:41 AM |
|
|
The issue of application state and connection management is one often discussed in the context of cloud computing and virtualized architectures. That's because the stress placed on existing static infrastructure due to the potentially rapid rate of change associated with dynamic application provisioning is enormous and, as is often pointed out, existing "infrastructure 1.0" systems are generally incapable of reacting in a timely fashion to such changes occurring in real-time. The most basic of concerns continues to revolve around IP address management. This is a favorite topic of Greg Ness at Infrastructure 2.0 and has been subsequently addressed...
posted @ Tuesday, February 10, 2009 7:59 AM |
|
|
While the vast majority of folks are still debating what is or is not "cloud computing", there are already groups trying to get ahead of the curve by focusing on broader issues such as interoperability and portability. Indeed, by addressing the potential pitfalls associated with portability across cloud implements now rather than later, it is hoped that there won't be as many problems when it does finally become an issue. There is a very real danger, however, that cloud interoperability and portability specifications will fail to address the very real need to include all the relevant application and...
posted @ Friday, February 06, 2009 4:39 AM |
|
|
You're standing in line at the bank when someone walks in. You instinctively look around and notice the newcomer is wearing sunglasses, and a hooded sweatshirt. His hands are both inside the pockets of his sweatshirt, even though it's warm inside. He chooses a line, and dances nervously from foot to foot, craning his neck to see to the front of the line. After a few minutes he leaves the line and chooses a new one, growing increasingly agitated at the wait. He keeps looking from the clock to the line to the tellers, and appears to be wringing his...
posted @ Tuesday, February 03, 2009 4:01 AM |
|
|
The webification of applications over the years has led to the belief that client-server as an architecture is dying. But very few beliefs about architecture have been further from the truth. The belief that client-server was dying - or at least falling out of favor - was primarily due to fact that early browser technology was used only as a presentation mechanism. The browser did not execute application logic, did not participate in application logic, and acted more or less like a television: smart enough to know how to display data but not smart enough to do anything...
posted @ Monday, February 02, 2009 4:38 AM |
|
|
Open APIs are a matter of much discussion these days in the realm of cloud computing. Just take a peek at the discussion that occurred via Twitter during Cloud Connect. Many folks were not shy in putting forth the notion that cloud portability and interoperability can only be achieved through accepted "cloud" standards. Integration standards, for the cloud, if you will. The fear is that any emerging standards will focus only the portability of the application or virtual container environment. They are likely to ignore the fact that no application is an island, and that the application delivery...
posted @ Monday, January 26, 2009 3:40 AM |
|
|
If you've taken the time to read over the "Top 25 Most Dangerous Programming Errors" published by SANS recently, you may (or may not) have noticed that CWE-319 is an anomaly, and should be easily picked out by developers and security professionals in a game called "which one of these is not like the other". CWE-319 If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many different nodes in transit to its final destination. Attackers can sniff this...
posted @ Monday, January 19, 2009 3:57 AM |
|
|
Zero-day IE exploits and general mass SQL injection attacks often overshadow potentially more dangerous exploits targeting lesser known applications and attack vectors. These exploits are potentially more dangerous because once proven through a successful attack on these lesser known applications they can rapidly be adapted to exploit more common web applications, and no one is specifically concentrating on preventing them because they're, well, not so obvious.
Recently, SANS Internet Storm Center featured a write up on attempts to exploit Roundcube Webmail via the HTTP Accept header. Such an attack is generally focused on exploitation of operating system, language, or environmental...
posted @ Thursday, January 15, 2009 9:12 AM |
|
|
Everyone is buzzing and tweeting about the SANS Institute CWE/SANS Top 25 Most Dangerous Programming Errors, many heralding its release as the dawning of a new age in secure software. Indeed, it's already changing purchasing requirements. Byron Acohido reports that the Department of Defense is leading the way by "accepting only software tested and certified against the Top 25 flaws." Some have begun speculating that this list obviates the need for web application firewalls (WAF). After all, if applications are secured against these vulnerabilities, there's no need for an additional layer of security. Or is there? ...
posted @ Wednesday, January 14, 2009 4:22 AM |
|
|
One of the reasons behind some folks pushing for infrastructure as virtual appliances is the on-demand nature of a virtualized environment. When network and application delivery infrastructure hits capacity in terms of throughput - regardless of the layer of the application stack at which it happens - it's frustrating to think you might need to upgrade the hardware rather than just add more compute power via a virtual image. The truth is that this makes sense. The infrastructure supporting a virtualized environment should be elastic. It should be able to dynamically expand without requiring a new network architecture,...
posted @ Tuesday, January 13, 2009 4:15 AM |
|
|
Over the holidays Marcin @ tssci security offered up a python script for brute forcing the HTTP OPTIONS on directories. One of the reasons someone would want this information is because if you're (accidentally, of course) allowing PUT methods on any directories, someone can upload something nasty and potentially execute an attack. The availability of PUT makes XSS attacks simple even for script kiddies, for example. There may be legitimate reasons for enabling PUT on your servers, but you don't necessarily want the whole world to know that - just the applications that need the functionality....
posted @ Monday, January 05, 2009 5:58 AM |
|
|
VM sprawl is predicted to be one of the outcomes of early adoption and excitement over virtualization. Just as IT struggled to manage the explosion of PCs and servers across the enterprise, it is predicted that now it will need to find a way to manage the explosion of virtual machines as they pop up all over the enterprise with surprising alacrity. Part of the difficulty in managing new technology is the rogue deployment of X. Whether that's physical or virtual servers is irrelevant, the challenges associated with managing what are essentially unmanaged applications and servers deployed outside...
posted @ Friday, December 19, 2008 7:10 AM |
|
|
The INTERNET, December 18, 2008 - In what is certainly a blinding epiphany for some it was suddenly realized today that some applications are not well suited for deployment in a public cloud computing environment. With all the hype surrounding cloud computing these days it is easy to forget that there's more to enterprise applications than just some code and a database. It is a rare application that is an island in the data center, and the more integrated with other systems a given application is the less likely it is that the application will be well suited...
posted @ Thursday, December 18, 2008 4:14 AM |
|
|
When an application is deployed into a high-availability production environment there are a number of interesting infrastructure related things need to happen. The application delivery controller (ADC) needs to be configured, DNS entries updated, storage allocated, and all the other associated network infrastructure must be prepared to handle the delivery of the new application. We have a BIG-IP. Do I have to talk to the network guys?? ...
posted @ Tuesday, December 16, 2008 5:55 AM |
|
|
You may recall a recent overview on network-side scripting that described a few uses of this technology integrated with application delivery controllers. With thousands of examples of the uses of network-side scripting it's hard to choose just one to adequately represent its potential. Luckily, we don't have to stick to just one. Viva la Internet! Based on the technical session the great network-side scripting guru Colin and I ran at SD Best Practices in October, I've pulled nine ways to use network-side scripting that can enhance the scalability, security, and performance of web applications into a presentation for...
posted @ Thursday, December 11, 2008 4:04 AM |
|
|
As an application delivery solution provider focused on securing, accelerating, and optimizing web applications, we pay a lot of attention to web application development trends. Languages, environments, and technologies are all of significant interest because in many cases the decisions regarding development affect the security and performance of applications deployed in production. AJAX-based applications, for example, can have a significant impact on performance of the application and on the network (and vice-versa), so we pay attention to its adoption and use and are always looking for new ways to secure and accelerate applications using the technology. ...
posted @ Wednesday, December 10, 2008 4:35 AM |
|
|
In the face of a recession everyone, individuals and organizations alike, begin scaling back spending. The first thing to go is luxury items; after all, you probably didn't need that big screen TV for Christmas, and the kids will likely be just as happy with used video games as they would with new ones. IT departments quickly scale back as well, putting off larger, more costly projects that aren't critical to the core business and re-evaluating much of their infrastructure in an attempt to cut costs and reduce the impact of the hardware and software costs of running...
posted @ Monday, December 08, 2008 3:52 AM |
|
|
Christofer Hoff, better known as @Beaker to the Twitterverse, put on his devil's advocacy hat (yes, it really is a good color for him) yesterday and questioned whether there was a need for hardware application delivery solutions in the cloud. He postulated via Twitter that application delivery functions would become part of the cloud fabric and thus whether they were implemented in hardware or software was largely irrelevant. Generally speaking we're in agreement on that one. But then he really used that devil's advocacy hat and suggested that the application delivery control layer might be virtualized and...
posted @ Tuesday, December 02, 2008 7:15 AM |
|
|
Thanks to a tweet from @Archimedius, I found an insightful blog post from cloud computing provider startup Kaavo that essentially makes the case for a move to application-centric management rather than the traditional infrastructure-centric systems on which we've always relied. We need to have an application centric approach for deploying, managing, and monitoring applications. A software which can provisions optimal virtual servers, network, storage (storage, CPU, bandwidth, Memory, alt.) resources on-demand and provide automation and ease of use to application owners to easily and securely run and maintain their applications will be critical for the...
posted @ Monday, December 01, 2008 2:59 AM |
|
|
While I was at SD Best Practices in Boston last month I got to talk to a lot of engineers, developers, and architects about their environments and about what F5 does for application delivery. One of the developers glibly told me he wasn't sure we could help him out because his environment was the international space station. Yeah, how cool is that? Now that's cloud computing. Another architect, who turned out to be a friend of a friend who I've conversed with but never met in person said the same thing, but...
posted @ Friday, November 14, 2008 3:08 AM |
|
|
Many people are concerned with virtualization security (already coined VirtSec), and they're applying that concern from the virtual images all the way down the stack, to the network infrastructure through which virtualized application traffic is delivered. The desire for network infrastructure to be itself virtualized is growing out of a perceived need to isolate application traffic at every point in the infrastructure. But the technology to isolate application traffic at layer 2 and 3 of the infrastructure already exists, and has been essentially virtualized for years.
The sudden desire for everything in the infrastructure to be virtualized completely is borne...
posted @ Friday, November 07, 2008 6:33 AM |
|
|
One password to fool them all One password to find them One password to steal them all and in the ether become them [with many apologies to J.R.R. Tolkien] For years we've had it beat into...
posted @ Monday, October 20, 2008 4:02 AM |
|
|
Not every infrastructure vendor needs new capabilities to support cloud computing and infrastructure 2.0. Greg Ness of Infoblox has an excellent article on "The Next Tech Boom: Infrastructure 2.0" that is showing up everywhere. That's because it raises some interesting questions and points out some real problems that will be need to be addressed as we move further into cloud computing and virtualized environments. What is really interesting, however, is the fact that some infrastructure vendors are already there and have been for quite some time. One thing Greg mentions that's not quite accurate (at least...
posted @ Friday, October 17, 2008 3:58 AM |
|
|
One of the most dangerous threats to data security is also one of the least talked about: employees. Are Twitter and other microblogging sites yet another avenue through which sensitive data can leak out of the corporate database and into the hands of ... anyone? Perhaps more worrisome, what information are you giving away simply by being a part of the community? Of course Twitter is a potential threat. Like personal e-mail accounts and instant messaging, Twitter and sites of its ilk are primarily messaging mechanisms, which translates into personal channels for exporting sensitive data outside the...
posted @ Thursday, October 16, 2008 4:00 AM |
|
|
Silverlight, if you recall, appears to be Microsoft's answer to Adobe's AIR platform. Microsoft released Silverlight 2.0 today, as expected. Part of the big exciting news is that you can now code up Silverlight applications in Eclipse. Yeah, not kidding. I know, you just hit weather.com too and checked to see what the temperature was. But seriously, Microsoft is fully supportive of the Eclipse environment for Silverlight despite its own support with its own free tool, Visual Web Developer Express. I haven't checked out the Eclipse version yet, so I'll be interested to see it and hear how...
posted @ Tuesday, October 14, 2008 1:19 PM |
|
|
Everybody is jumping on the data center consolidation bandwagon again. It never really went away, it just took a leisurely Sunday drive through the countryside for a few years before turning back up on the streets of busy data centers everywhere.
RELATED LINKS
This time, it's virtualization that's driving consolidation, and this time it appears that the movement may actually have a better chance at...
posted @ Monday, October 13, 2008 4:16 AM |
|
|
I was reading an interesting article on the return on investment for WAN Optimization solutions as discussed by analyst research firm Aberdeen and decided to download the complimentary copy of the report. Reports are generally offered as PDF downloads, not displayed in Macromedia FlashPaper, so it was not easily obtainable for sharing with friends. However, there's a nice "e-mail to a friend" link so I clicked on it, thinking of many folks I know who might be interested in this report. The next thing I know my screen is screaming at me with a warning about malicious content...
posted @ Friday, October 10, 2008 6:00 AM |
|
|
After having recently discussed all the different kinds of proxies that exist, it occurred to me that it might be nice to provide some examples of what you can do with proxies besides the obvious web filtering scenario. This is by no means an exhaustive list, but is provided to show some of the more common (and cool, I think) uses of proxies. What's really awesome is that while some of these uses are available with only one type of proxy (reverse or forward), a full proxy can provide all these uses, and more, in a single, unified...
posted @ Wednesday, October 08, 2008 4:27 AM |
|
|
In the good old days when I was in college I had a generic PC. That's the way we did it back then - we built our PCs out of parts (obligatory "you kids don't know how good you have it these days" look). On that PC is something you don't often see today; a small toggle switch that changed the processor clock rate from 4 to 7 MHz. That's right, I said MHz. Not GHz. That was not that long ago in real years, but in technological years it's been a lifetime. As Moore's law correctly predicts,...
posted @ Tuesday, October 07, 2008 4:10 AM |
|
|
For the past eight years I've been telecommuting, first for Network Computing Magazine and now for F5. In fact, Don and I have been telecommuters (or teleworkers, depending on whom you ask) for so long that our children don't realize that most people actually have to get dressed and go to work on a daily basis. Granted, that's because we happen to live (and want to stay) in that great technological mecca of the midwest (Green Bay) even though F5 is headquartered in Seattle, but F5 being the best high-tech company in the Pacific Northwest (really, I'm not just saying...
posted @ Monday, October 06, 2008 12:54 PM |
|
|
I read about a "new" TCP flaw that, according to C|Net News, Related Posts puts Web sites at risk. There is very little technical information available; the researchers who discovered this tasty TCP tidbit canceled a conference talk on the subject and have been sketchy about the details of the flaw when talking publicly. So I did some digging and ran into a...
posted @ Friday, October 03, 2008 5:06 AM |
|
|
At Interop this week, security experts have begun sounding the drum regarding the security risks of virtualization and reminding us that virtual server sprawl magnifies that risk because, well, there are more virtual servers to manage at risk.
Virtual sprawl isn't defined by numbers; it's defined as the proliferation of virtual machines without adequate IT control, [David] Lynch said.
That's good, because the numbers as often cited just don't add up. A NetworkWorld article in December 2007 cited two different sets of numbers from Forrester Research on the implementation of virtualization in surveyed organizations.
First we are told that:...
posted @ Wednesday, October 01, 2008 3:43 AM |
|
|
Pet peeve time: screaming technical inaccuracies in blog posts do a huge disservice to the root problem being discussed. If you're going to discuss hijacking DNS errors for the purposes of advertising, then please do so - don't call them DNS "error pages" (there are no such things) or refer to them as "404 errors". 404 is an HTTP status code indicating that the requested resource cannot be found. It is in no way related to DNS and, in fact, such an error code cannot be returned without a successful DNS lookup, which means there's no hijacking...
posted @ Tuesday, September 30, 2008 8:19 AM |
|
|
One of the arguments against the deployment of web application firewalls (WAF) is that it takes time to configure these devices to fit each individual environment. This is allegedly one of the reasons that secure coding is preferred over security devices. But it takes time to code solutions and deploy them, too. In fact, depending on the lifecycle management at any given organization, it can take more time to code a solution and get it moved through a phased environment into production. One of the benefits of an application delivery platform and web application security deployed at...
posted @ Monday, September 29, 2008 4:38 AM |
|
|
Sometimes IT folks are tasked with coming up with the justification for purchasing technology. It's not an enjoyable task, and considering the incredible difficulty in trying to pin dollar values on soft factors like increased productivity and an improved user experience the chore can be quite painful. Technology that's become commoditized generally doesn't require ROI justification; when is the last time you were asked what the return...
posted @ Monday, September 22, 2008 4:44 AM |
|
|
If your entire data center infrastructure is on one virtualized PC, you're doing it wrong. Where's F5 The comparison between the power of a modern PC and a 1960's mainframe is often made in conjunction with a smug "look how far we've come" look. ...
posted @ Thursday, September 18, 2008 7:26 AM |
|
|
No matter where you deploy it, it's still your application Related Reading Everyone's talking about cloud computing and cloudware (applications in the cloud) services and pointing to the hiccups of several major cloud providers already this year. Reliability, availability, and security are still major concerns, and yet some reports indicate these three "itys" aren't impeding adoption of cloud computing models at all. ...
posted @ Wednesday, September 17, 2008 3:20 AM |
|
|
Yesterday it was reported that BusinessWeek had been infected with malware via an SQL injection attack. [begin Mom lecture] Remember when we talked about PCI DSS being a good idea for everyone, even though it's just a requirement for the payment card industry? If I've told you once, I've told you a million times: safer is better, more protection never hurts. ...
posted @ Tuesday, September 16, 2008 5:40 AM |
|
|
Ars Technica is reporting on a recent Pew study on cloud computing and privacy, specifically concerning remote data storage and the kind of data-mining performed on it by providers like Google, indicates that while consumers are concerned about the privacy of their data in the cloud, they still subject themselves to what many consider to be an invasion of privacy and misuse of data. 68 percent of...
posted @ Monday, September 15, 2008 7:07 AM |
|
|
The discussion yesterday on JavaScript and security got me thinking about why it is that there are no good options other than script management add-ons like NoScript for securing JavaScript. In a compiled language there may be multiple ways to write a loop, but the underlying object code generated is the same. A loop is a loop, regardless of how it's represented in the language. Security products that insert...
posted @ Friday, September 12, 2008 4:49 AM |
|
|
Don is off in Lowell working on a project with our ARX folks so I was working late last night (finishing my daily read of the Internet) and ended up reading Scott Hanselman's discussion of threads versus processes in Chrome and IE8. It was a great read, if you like that kind of thing (I do), and it does a great job of digging into some of the RAMifications (pun intended) of the new programmatic models for both browsers. But this isn't about processes or threads, it's about an interesting comment that caught my eye: ...
posted @ Thursday, September 11, 2008 4:01 AM |
|
|
David Linthicum of Real World SOA asks whether SOA governance should be delivered as a service, from the cloud. Core to this proposition is the use of a registry/repository in the cloud: This repository would provide more than just WSDL, but a complete design time and runtime SOA governance system delivered out of the cloud, perhaps linked with a local slave repository within your firewall. One of the problems with this, I see, is that in a SOA where governance is actively used and policies enforced, governance becomes crucial to...
posted @ Tuesday, September 09, 2008 4:17 AM |
|
|
You walked past me again today without stopping. I remember when you used to stop and admire my glowing red ball every day. But that was back when I was brand new and you thought I was the center of your data center. I heard you talking to some friends about looking for a web acceleration solution yesterday. You were going to a meeting about it later that afternoon and you were so excited it was almost like old times, until you pointed me out on the way by and said, "Oh yeah, there's our load balancer." ...
posted @ Friday, August 29, 2008 4:05 AM |
|
|
This blog on the inadvertent sharing of Google docs led to an intense micro-conversation in the comments regarding the inadvertent sharing of e-mail. sensitive financial data, and a wealth of other private data that remained, well, not so private through that [cue scary music] deadly combination that makes security folks race for their torches and pitchforks: Google Apps and Gmail. [pause for laughter on my part. I can't say that without a straight face] Here's part of the "issue" "discovered" by the author: Closer examination of the spreadsheets, along with some online...
posted @ Friday, August 29, 2008 3:03 AM |
|
|
Don and I were discussing security as a service and, as usual, he spouted off some wisdom in the form of an analogy that was too good to not to share. When you're walking down the street with your entourage and an angry, I mean really angry, man steps out in front of you with a lead pipe where should your bodyguard be? Yeah, that was my thought, too. He should be in front of me to stop the threat before I have to react. Even though the threat may not hit...
posted @ Tuesday, August 26, 2008 5:01 AM |
|
|
During the debate of WAF versus, well, just about everything, I heard an interesting thing.
See, I was taking the view that the duplication of security code across all services/applications lays the groundwork for the introduction of errors, accidental omission, and the degradation of performance. I argued that a WAF addressed all these problems and was therefore a better option.
The person with whom I was discussing the subject declared that security code did not necessarily need to be included in the application, it could be a service that, in the spirit of SOA, could be reused and that this...
posted @ Thursday, August 21, 2008 5:02 AM |
|
|
Abhik, in a reply to "Why can't clouds be inside (the data center)?" says that "the whole point (and primary benefit) of cloud computing is that someone else manages the computing resources. That set of resources is drawn as a cloud in a network diagram because you, the developer or the company using cloud resources, neither knows or cares to know the specifics of the computing infrastructure. An in-house cloud would require procurement, management, maintenance and continuous cost even during idle time -- it is just a grid."
Is it? Is that the primary reason enterprises might be considering cloud computing?...
posted @ Wednesday, August 20, 2008 3:46 AM |
|
|
An interesting InformationWeek article asks whether SOA intermediaries such as "enterprise service bus, design-time governance, runtime management, and XML security gateways" are required for an effective SOA. It further posits that SOA governance is a must for any successful SOA initiative. As usual, the report (offered free courtesy of IBM), focuses on SOA infrastructure that while certainly fitting into the categories of SOA intermediary and governance does very little to assure stability and reliability of those rich Internet applications and composite mashups being built atop the corporate SOA. Effective SOA Requires Intermediaries via InformationWeek ...
posted @ Monday, August 18, 2008 5:00 AM |
|
|
SC Magazine reports that (1) cloud computing environments may not be very secure and (2) a VPN can improve the security of cloud computing environments. Countering cloud computing threats via SC Magazine Technology such as two-factor authentication systems, when married to encrypted VPN connections, can secure an internet connection into a cloud computing-based service. That's the verdict from the Information Systems Audit and Control Association (ISACA), which concludes that using such techniques would tend to make interception of files and transmissions almost impossible. Sarb Sembhi, president of the...
posted @ Thursday, August 14, 2008 8:43 AM |
|
|
Nothing. At least not from an attacker's perspective. A blog is an individual content management system, requiring storage (either database or flat file) and the ability to write to that storage. Comments allow discussion but also require access to files and or databases. It's an app, and that means it comes with all the baggage today's web applications necessarily come with: vulnerabilities. Those vulnerabilities are likely to become more visible as more organizations adopt blogging and other Web 2.0 applications in the next two years. Analyst firm Gartner recently highlighted 27 technologies in its 2008 Hype Cycle for...
posted @ Wednesday, August 13, 2008 3:35 AM |
|
|
The debate on whether infrastructure devices, particularly those providing security, should fail open or closed is far from over. One of our field system engineers, Aidan Clark, has some thoughts on scenarios in which you should fail open, and provides some compelling arguments for his view point. He's graciously allowed me to post his thoughts as his response seems to be irritating the comment gremlins. The View from the Trenches Lori, Now you already know this, but other readers might not. My standard disclaimer first: I am an F5 employee. I...
posted @ Tuesday, August 12, 2008 7:25 AM |
|
|
An ant named Archimedes is in a hole 6' deep. He climbs half the distance to the top every hour. How long does it take for him to escape the hole? Trick question. He can never, mathematically, escape. Realistically, we know that when Archimedes gets close to the top he will escape because he is actually longer than the amount of hole he has left to go. But what if every hour that Archimedes climbed the hole expanded 6" and thus changed the equation? He'd be one frustrated ant, that's what he'd be. That's how...
posted @ Monday, August 11, 2008 3:54 AM |
|
|
Slashdot is discussing a recent rant regarding Mozilla FireFox 3's SSL policy regarding self-signed certificates. The rant claims that the policy is "bad for the web."
Nat Tuck Thu on Mozilla SSL policy bad for the Web
Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors. This policy is bad for the web. Not only does it make users less secure overall by reducing the number of encrypted connections, it damages the basic principle of equality among web participants.
The problem...
posted @ Tuesday, August 05, 2008 10:59 AM |
|
|
Who is responsible for security in the cloud? Let's say you just developed a web app through which customers can order widgets. You're pretty sure your widgets are going to be the hit of the year and you want to make sure that you don't suffer outages and performance issues like many retailers have in the past, especially around Black Friday. So you've decided to take advantage of the fact that a cloud computing provider can and will shoulder the responsibility for scaling your application even in the face of hundreds of thousands of customers knocking on your...
posted @ Tuesday, August 05, 2008 4:56 AM |
|
|
An application delivery controller (ADC) essentially acts a reverse proxy. That means that client requests interact with the ADC, and the ADC interacts with web and application servers on the client's behalf. This mediation offers the chance to implement acceleration, availability, and security features without requiring changes to existing applications. There are many, many more features in an ADC that provide significant value. These eight capabilities are the most commonly employed features in reverse-proxy application delivery solutions that provide immediate benefits to web applications, and all can be used without modifying applications or the servers on...
posted @ Friday, August 01, 2008 4:56 AM |
|
|
I read with interest an article on port knocking as a mechanism for securing SOA services on CIO.com. If you aren't familiar with port knocking (I wasn't) then you'll find it somewhat interesting: From Nicholas Petreley's "There is More to SOA Security Than Authorization and Authentication" For the sake of argument, let's say you have an SOA server component for your custom client software that uses port 4000. Port knocking can close off port 4000 (and every other port) to anyone who doesn't know the "secret method" for opening it. Any cracker who scans your...
posted @ Tuesday, July 29, 2008 9:21 AM |
|
|
Apache is a great web server if for no other reason than it offers more flexibility through modules than just about any other web server. You can plug-in all sorts of modules to enhance the functionality of Apache.
But as I often say, just because you can doesn't mean you should.
One of the modules you can install is mod_security. If you aren't familiar with mod_security, essentially it's a "roll your own" web application firewall plug-in for the Apache web server.
Some of the security functions you can implement via mod_security are:
Simple filtering
...
posted @ Wednesday, July 23, 2008 5:53 AM |
|
|
Of all the reasons you need an application delivery controller capable of bi-directional inspection of application data this is one of the best. I was trying to check out the results of a poll on PollDaddy.com and ended up with this beautiful Microsoft .NET error page, filled with so much valuable information that potential attackers must even now be laughing in that "evil genius" laugh you so often hear in retro-cartoons. This error page tells me so many things about the application, it's environment, and its associated infrastructure that it should be a crime to let this information...
posted @ Tuesday, July 22, 2008 8:46 AM |
|
|
Via Hacker News and Peteris Kumins' blog on programming, hacking, software reuse and stuff comes the latest Google tech talk, this one on web application vulnerabilities and "how cybercriminals steal money". While Peteris and Google are targeting web developers with this informative video talk, it's a great resource as well for security folks as well as network administrators tasked with understanding how to thwart web application attacks. Even if you've deployed a web application firewall to protect you from these kinds of vulnerabilities, it's still a great idea to watch this one and get a better...
posted @ Friday, July 18, 2008 12:52 PM |
|
|
No one questions the need to secure applications today, we just argue over how we should do it. Let's take a break for a minute from that debate to ensure that we don't get so focused on layer 7 (application) that we forget about the rest of the stack and the importance of securing it as well. Just as a chain is only as strong as its weakest link, an application is only as secured as its most vulnerable layer in the stack. If your application is well secured, but the network layer (IP) is wide...
posted @ Wednesday, July 16, 2008 8:24 AM |
|
|
Cloud computing is, at its core, about delivering applications or services in an on-demand environment. Cloud computing providers will need to support hundreds of thousands of users and applications/services and ensure that they are fast, secure, and available. In order to accomplish this goal, they'll need to build a dynamic, intelligent infrastructure with four core properties in mind: transparency, scalability, monitoring/management, and security.
Transparency
One of the premises of Cloud Computing is that services are delivered transparently regardless of the physical implementation within the "cloud". Transparency is one of the foundational concepts of cloud computing, in that the actual implementation of...
posted @ Thursday, July 10, 2008 5:45 AM |
|
|
Not all DoS (Denial of Service) attacks are the same. While the end result is to consume as much - hopefully all - of a server or site's resources such that legitimate users are denied service (hence the name) there is a subtle difference in how these attacks are perpetrated that makes one easier to stop than the other. SYN Flood A Layer 4 DoS attack is often referred to as a SYN flood. It works at the transport protocol (TCP) layer. A TCP connection is established in what is known as a 3-way handshake. The client...
posted @ Tuesday, July 08, 2008 4:31 AM |
|
|
Bob owns a widget shop. Now this widget shop is not your ordinary widget shop, because the widgets are made from Swarovski crystal. Very expensive stuff. Bob is aware that losing any number of his widgets would be financially devastating, and the negative press he'd receive would darken his shop's reputation. So he's invested in a very modern physical security system that utilizes electronic locks on all the doors, and includes all the newest laser motion detection technology. It's further connected to a monitoring service just in case, so he'll know if security has been breached and can...
posted @ Wednesday, July 02, 2008 4:58 AM |
|
|
Andre Gironda (Dre) has declared war on WAF (Web Application Firewalls). I found his attack on WAFs a bit amusing because the belief that secure coding will take care of all web application vulnerabilities is quite utopian, and thus more compatible with a more passive-aggressive strategy and not a frontal assault with a war-declaring-gut-stomping-heated list of reasons to discount a technological solution to the problem of web application threat defense. Today I'm going to focus on reason #2, because I don't believe it's peculiar to WAFs at all. The "number 2" reason to wait on WAFs, according...
posted @ Wednesday, June 25, 2008 5:18 AM |
|
|
The good folks at Verizon Business who recently released their 2008 Data Breach Investigations Report sounded almost surprised by the discovery that "Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities. Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach." This led the researchers to conclude that "For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach. [...] Also worthy of mention is that no...
posted @ Thursday, June 19, 2008 5:24 AM |
|
|
Application delivery controllers, and load balancing in general, are often seen as solutions waiting for a problem to solve. We know what those problems are, but until we experience them we often don't feel a sense of urgency in acquiring and deploying an application delivery controller. While it's certainly true that an application delivery controller can solve many problems that arise, it's also true that there are benefits to acquiring and deploying an application delivery controller before it becomes absolutely necessary in order to save your application, your site, or your job. So here are six...
posted @ Wednesday, June 18, 2008 7:59 AM |
|
|
One of the most basic attacks against data-driven sites generated dynamically through scripting languages like PHP and ASP is to use the weaknesses of the language against the developer. Attacks against sites that make use of scripting languages often attempt to exploit system level calls that can lead to all sorts of nastiness with very little work on the part of the attacker. One of the ways to guard against this is to write secure code, of course, but we all know that we can only code against known attacks. The unknown is something we just...
posted @ Monday, June 16, 2008 7:46 AM |
|
|
Someone's been playing with the MySpace APIs and found a way to exploit some deprecated [according to MySpace] services through which "private" photos suddenly became public. Jeremiah Grossman, chief technology officer at White Hat Security, a Web application security company, attributed it to "insufficient authorization," which he said are common on all types of Web sites, not just social-networking sites. Jeremiah's explanation is evident if you walk through the details of the exploit. You must authenticate to MySpace by logging in - it's the authorization to view the private photos that was completely broken. ...
posted @ Thursday, June 05, 2008 7:44 AM |
|
|
As an industry - both security and application delivery - we talk a lot about securing the application infrastructure (databases, web and application servers) by making sure that the data going into the applications is "clean". After all, we know that GIGO (Garbage In Garbage Out) is a true statement in terms of web applications and data. Unfortunately we tend to worry a lot more about the GI than the GO. While it's better for everyone to prevent that SQL injection or XSS attack from polluting our databases and potentially distributing malicious code to hundreds or thousands of...
posted @ Thursday, May 29, 2008 5:46 AM |
|
|
After reading most of what's available on the Adobe Zero Day Exploit, and getting an idea of how it propagates (Flash and JavaScript inserted via an SQL injection attack), I turned to iRules guru Colin for some help crafting an iRule that might stop a site from serving up infected content to a user. This is particularly helpful for those who are running a BIG-IP but who aren't running a web application firewall like ASM (Application Security Manager) and may have been inadvertently infected.
After looking through the screen capture of some JavaScript that attempts to load the malware from...
posted @ Thursday, May 29, 2008 5:40 AM |
|
|
By now you've certainly heard about the "zero day" Adobe Flash player exploit. If not, you can read a bit about it here and here. What appears to be going on is similar to how other exploits and malware become quickly propagated across the web: Set up a site that hosts some malware with a simple but effective password stealer hidden in a Flash file Inject malicious code via SQL injection techniques into a web site that will load the Flash files from the host you set up in step 1....
posted @ Wednesday, May 28, 2008 11:00 AM |
|
|
With the deadline of June 2008 quickly approaching for retailers who need to be compliant with PCI DSS (Payment Card Industry Data Security Standard) there's a lot of focus in IT shops on requirement 6.6, the somewhat hotly debated requirement which states organizations must implement either a web application firewall or perform code reviews (and address vulnerabilities discovered) in order to be compliant with the standard and continue accepting credit cards. So much focus is on this standard and online retailers that it seems like the "bad guys" might consider other avenues of attack. Malicious code (malware) and...
posted @ Thursday, May 22, 2008 4:42 AM |
|
|
This is an interesting article from Network World about how CIOs in Australia and New Zealand perceive security as being easier than reducing costs. The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector. CIO Challenges ...
posted @ Friday, May 09, 2008 8:15 AM |
|
|
One of the problems with having kids and Internet access in the same house is dealing with the problem of someone duping your kids into believing they are someone they aren't. And it's not just predators that you have to worry about; kids are devious, they know they can pretend to be someone else (and often do) on the Internet and thereby mess with their friends' heads. One of the reasons it's so easy to socially engineer someone else into believing you are whoever you want to on the Internet is that there's no real way to verify identity....
posted @ Thursday, May 01, 2008 7:50 AM |
|
|
History says integration wins, will that trend continue? Andrew Storms has a nice writeup on PayPal's recent decision to limit the supported browsers used with its service (i.e. this is a one browser site, buddy) in an effort to "protect customers". This isn't just a case choosing IE over Firefox, or vice-versa, this move is about requiring a certain set of security functions to be available and active in a browser, and will not necessarily block out the major browser vendors - just older versions of those browsers. Apparently one of those features required will be EV SSL...
posted @ Monday, April 28, 2008 8:12 AM |
|
|
The dirty secrets of Web 2.0 There's something a lot of people don't want you to know about Web 2.0. People who are trying to sell you on Web 2.0 as the greatest thing to hit technology since the first web page appeared at CERN. And while undoubtedly Web 2.0 is having a huge impact on organizations across a broad spectrum - from the enterprise to startups - when you peek under the covers you may be surprised to learn that things haven't changed all that much. Oh, Web 2.0 appears magical indeed but from the view of an...
posted @ Monday, April 28, 2008 7:05 AM |
|
|
Hey website! Prove you are you. I got a call last week from my insurance company - or someone claiming to be from my insurance company. The nice lady on the other end wanted my credit card information to pay for the co-payment required for some "speciality meds" for our youngest son. Even though the caller-id had identified the caller as my insurance company, still I hesitated. The cold, cruel reality of the Internet has apparently made me even more cynical than normal. We're often told never to give out our credit card information to anyone who requests...
posted @ Monday, April 14, 2008 5:38 AM |
|
|
I was listening to some Primus yesterday - To Defy The Laws of Tradition, to be precise- and it got me thinking about architectures and decisions that defy the laws of (IT) tradition. One IT tradition that seems extremely difficult to overcome is that applications should authorize users. After all, the application should control, based on some kind of policy, what users can and cannot do while interacting with it. In fact it's almost a law within IT that while applications may accept the authentication of a user from a trusted source, it is still the authoritative source for authorizing...
posted @ Monday, April 07, 2008 10:23 AM |
|
|
Last week we dove into the use of application delivery as a way to apply the SOA benefits of loose-coupling to "legacy" web applications. This week we'll dive into how to achieve similar benefits by applying loose-coupling to security for legacy applications. Loose-coupling of security general requires the use of a service to apply - or enforce - security policies outside the application or service. At a minimum, the decoupling of security policies from actual services preserves the ability to reuse services in multiple applications, many of which may have different security needs. For example, applying authentication and authorization...
posted @ Tuesday, March 18, 2008 12:24 PM |
|
|
An analyst friend of mine recently asked about F5's Application Ready Networks. The question was, "Isn't that just a bunch of templates?" Now it's true that this particular analyst friend is not an application analyst, so the question was a good one coming from his background, but it got me to thinking that if he was confused, maybe others were as well. So what's an Application Ready Network anyway? F5 has a long history of deep strategic partnerships with application vendors like Oracle, BEA, Microsoft, and SAP. Through these partnerships, and F5's comprehensive technology center in Seattle, our...
posted @ Wednesday, December 19, 2007 9:47 AM |
|
|
With the increasing number of "data leaks" involving large numbers of affected consumers there is an increased focus on products that prevent such leaks from occurring in the first place. Many of these products have grown out of the IDS (Intrusion Detection System) market and others have been built from the ground up. Some, like F5's BIG-IP Application Security Manager (ASM), have grown out of the WAF (Web Application Firewall) product set. So what's the difference between them? One of the biggest differentiators in these product sets is the way in which they are deployed, which is necessitated by their architecture....
posted @ Thursday, December 13, 2007 12:27 PM |
|
|
Tis the season for overzealous security to kick in. Is there such a thing as too much security? Rock --> consumer <-- Hard place There's been nearly as much hype about the (non)mythical "Cyber Monday" as there is surrounding "Black Friday" this year. While a lot of attention has been focused thus far on how slow (in terms of performance) some major online-shopping sites have been, there's been very little discussion about the impact of automated fraud detection systems on online transactions. I don't know anyone that would argue that these systems are a Bad Thing. After...
posted @ Thursday, December 06, 2007 8:33 AM |
|
|
This article is just full of interesting ideas. First we're told that the only way to secure Web 2.0/SOA/Web applications is to rewrite the code. This "rewrite the application code" to address any number of delivery issues - security, performance, availability - is old and busted. There are other more efficient mechanisms that can certainly be used to address application delivery issues, such as an application delivery network comprising appropriate intelligent, application aware devices capable of ensuring that all applications are fast, secure, and available. These solutions do not require that the application be rewritten, and in fact in...
posted @ Tuesday, November 06, 2007 1:22 PM |
|
|
Over the past few weeks we've examined the issues inherent with Web 2.0 and in particular AJAX-based applications. These issues need to be dealt with, but they should not be considered "show stoppers" to moving ahead with your Web 2.0 initiative. Consider the security ramifications of the design, implementation, and deployment of your new application carefully. Build security into your new application up front and you'll certainly be able to decrease the potential risks associated with this growing technology. Consider the following methods to CUT the RISK associated with deploying Web 2.0 applications: •Check VA tools for AJAX...
posted @ Monday, July 23, 2007 8:29 AM |
|
|
This is Part 4 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "H".
Hidden URLs
AJAX and Web 2.0 works because of the use of the XMLHTTPRequest object via JavaScript to invoke remote calls on...
posted @ Wednesday, July 18, 2007 12:38 PM |
|
|
This is Part 3 of a series on Web 2.0 Security.
A good way to remember things is to use mnemonics, so when you're trying to list the security issues relevant to Web 2.0 just remember this: it's a MASHup.
More of everything.
Asymmetric data formats
Scripting based
Hidden URLs and code
This episode is brought to you by the letter "S".
Scripting-based
Web 2.0 technologies, specifically AJAX, are based on the execution of scripts. As we mentioned in Part I of...
posted @ Wednesday, July 11, 2007 1:11 PM |
|
|
|
|
|
|
