Friday, September 7, 2007
It doesn't matter if the application is "behind the firewall". It doesn't matter if it uses SSL for encryption. And it doesn't matter if all the software in use is patched with the latest hotfixes or service packs. The problems are at the application level and they're still there regardless of how hardened the environment is.
I bring this up because it's so easy for business managers to Web-enable anything and everything to woo their clients/customers. I'm seeing these types of Web vulnerabilities more and more. Business apps are cropping up on the Internet more and more - especially in the legal field. A lot of them are not being tested for security vulnerabilities in the slightest way. OK, some are being scanned with whatever freeware security scanner the network admin is familiar with, but that's not enough - not even close! Commercial OS and Web application scanners - and more importantly - manual testing is required to really figure out how Web portals such as this can be exploited.
There are so many complexities and variables in Web applications which, again, is one of the reasons I love testing software (see my related post on this). If you've got a law firm extranet or some other type of Web portal housing information you can't afford to have compromised, you've got to look at the environment from a malicious attacker's perspective. Test and test again - now and as long as the system is publicly-accessible. The Web application flaws will eventually be found by someone - might as well be you!
Thursday, September 6, 2007
There's something that's coming up more and more that I'm building a stronger opinion about each year. It's expecting the best of ourselves and others. We're coming to a point in our society where it's inappropriate, offensive, and politically incorrect to demand the best from our ourselves and others in literally every aspect of our personal lives and our careers. This is especially true in our society where those who prove that hard work makes luck are actually looked down upon. [Hmmm - teacher's unions and government schools come to mind - but back to my point.]
You hear people say all the time things like " "Wow, that lady did what she said she was going to do! What a stand-up professional...". Are you serious!? Does doing what you say you're going to do deserve such praise? Not really but I can understand why it's happening. It's sad but true that many people don't even do the basics they commit to doing (or are expected to do) much less put in the extra work to under promise and over deliver.
What I'm trying to say is that the levels of mediocrity in society and business give those of us in IT and information security a chance to really stand out above the noise . All it takes is to do what we say we're going to do and then put in some extra effort to really excel. Want to see it work? Commit to yourself now that you're going take some risks and go the extra mile. Give it a try - you may not notice the immediate benefits but you'll be amazed what it will do for you long term.
Wednesday, September 5, 2007
- They're all different
- They're ever changing
- They can be extremely complex (read: more chances for security problems)
- There are no real standards for locking them down like there are for operating systems, wireless, etc. because they're all so unique
- There's no way that all developers are going to think to secure everything
- Much to the chagrin of executives and even certain developers, no firewall in the world is going to protect against poor application logic!
- There are a lot of great Web application scanners including some free ones to help take the pain out of the testing process. [Web vulnerability scanners won't find everything though! They're only about 50% of the equation. Human context and reasoning picks up where they leave off.]
What I talk about here ties in with my Security On Wheels audio programs. Thanks for checking in and joining me in this adventure. Many security opinions, commentaries, and insights to come!