Re: question on security scanning
Re: question on security scanning
- Subject: Re: question on security scanning
- From: "Michael DeMan (WO)" <email@hidden>
- Date: Thu, 26 Feb 2009 12:34:01 -0800
Hi,
To the best of my knowledge, your synopsis that the WO/EOF architecture
insulates you from many security issues is essentially correct. Most of
the issues in this area revolve around PHP and similar technologies
where injection and scripting attacks are a huge issue.
For those kinds of attacks, the biggest thing I can think of that
affects WO is the regular old session hijacking via the URL which can be
obviated by creative use of encrypted cookies to ensure that anybody who
hits the app with a session URL, also has that cookie on their machine
with matching session ID (or username, etc).
On the other hand, there still can be configuration issues that can
cause grief - mostly the the public facing HTTP server(s) that your
WOAdaptor is running on - which although pretty much can be used only
for denial of services issues, are still issues none the less.
A couple quick examples would be like...
- is JavaMonitor accessible from the outside world? Obviously bad news
since JavaMonitor is subject to brute force password attacks.
- if you require login to your application (similar to JavaMonitor
issue), once password login fails 3-5 times in a row, does the account
automatically get locked out?
- if you are using HTTPS, is the web server configured not to use weak /
deprecated encryption algthorithms?
- does the web server accidentally have POP3 or something open on it to
the public, subject to brute force attacks, which in turn could give
somebody SSH access to it or similar? And once a compromise is made
there be able to use the web server to try and break into your your
application and/or database servers?
My background on this kind of stuff is primarily via small e-commerce
deployments, and have regularly used http://www.securitymetrics.com for
scanning to meet VISA/MasterCard PCI 1.2 compliance. Depending on your
needs, something like SecurityMetrics may be inappropriate,
insufficient, or over kill. I do like the extra peace of mind provided
knowing that servers are scanned for security vulnerabilities regularly,
and they have found both minor and important issues for me in the past.
My 2-cents anyway, and I am also interested to see what others have to say.
- Mike
TW wrote:
All:
I just had a meeting regarding one of my apps today with some central
IT types at our university. One of the questions that was asked of me
(for the first time actually) was whether I had run a security scanner
test the application. While I'm not so naive as to think there can't
be any security issues, I had always felt that the many levels of
abstraction in WO/EOF naturally insulated me from some of these
considerations.
For background, this central IT group is heavily microsoft leaning -
so they kind of live in a different world where security is concerned
and think they believe that the entire world of computing has the same
architectural considerations they do. Their question was obviously out
of concern that an attack could be crafted against the app to extract
data from the database. It's difficult for me to imagine how this
would be possible with WO/EOF but I may have naively looked past this.
To get to the point, I'd be interested in hearing from developers on
list about whether you have scans performed against your apps. Yes or
no, what were the considerations that drove the choice.
Tim Worman
UCLA GSE&IS
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden