• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: question on security scanning
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on security scanning


  • Subject: Re: question on security scanning
  • From: Kieran Kelleher <email@hidden>
  • Date: Thu, 26 Feb 2009 20:32:37 -0500

Our credit card company requires PCI compliance and they commissioned some security company to do periodic security scans on our stuff. We did not do any special preparation for this security scan. All that happened was my app ended up with a lot of malformed direct actions being thrown at it by the security bot causing error pages to be returned to it. The outcome of the scan was that it identified versions of php, apache etc that had vulnerabilities and needed to be upgraded ..... basically Tiger OS X Server fails and Leopard OS X Server passes the PCI compliance.

http://www.pcicomplianceguide.org/

On Feb 26, 2009, at 3:34 PM, Michael DeMan (WO) wrote:

Hi,

To the best of my knowledge, your synopsis that the WO/EOF architecture insulates you from many security issues is essentially correct. Most of the issues in this area revolve around PHP and similar technologies where injection and scripting attacks are a huge issue.

For those kinds of attacks, the biggest thing I can think of that affects WO is the regular old session hijacking via the URL which can be obviated by creative use of encrypted cookies to ensure that anybody who hits the app with a session URL, also has that cookie on their machine with matching session ID (or username, etc).


On the other hand, there still can be configuration issues that can cause grief - mostly the the public facing HTTP server(s) that your WOAdaptor is running on - which although pretty much can be used only for denial of services issues, are still issues none the less.


A couple quick examples would be like...

- is JavaMonitor accessible from the outside world? Obviously bad news since JavaMonitor is subject to brute force password attacks.
- if you require login to your application (similar to JavaMonitor issue), once password login fails 3-5 times in a row, does the account automatically get locked out?


- if you are using HTTPS, is the web server configured not to use weak / deprecated encryption algthorithms?

- does the web server accidentally have POP3 or something open on it to the public, subject to brute force attacks, which in turn could give somebody SSH access to it or similar? And once a compromise is made there be able to use the web server to try and break into your your application and/or database servers?


My background on this kind of stuff is primarily via small e- commerce deployments, and have regularly used http://www.securitymetrics.com for scanning to meet VISA/MasterCard PCI 1.2 compliance. Depending on your needs, something like SecurityMetrics may be inappropriate, insufficient, or over kill. I do like the extra peace of mind provided knowing that servers are scanned for security vulnerabilities regularly, and they have found both minor and important issues for me in the past.


My 2-cents anyway, and I am also interested to see what others have to say.

- Mike

TW wrote:
All:

I just had a meeting regarding one of my apps today with some central IT types at our university. One of the questions that was asked of me (for the first time actually) was whether I had run a security scanner test the application. While I'm not so naive as to think there can't be any security issues, I had always felt that the many levels of abstraction in WO/EOF naturally insulated me from some of these considerations.

For background, this central IT group is heavily microsoft leaning - so they kind of live in a different world where security is concerned and think they believe that the entire world of computing has the same architectural considerations they do. Their question was obviously out of concern that an attack could be crafted against the app to extract data from the database. It's difficult for me to imagine how this would be possible with WO/EOF but I may have naively looked past this.

To get to the point, I'd be interested in hearing from developers on list about whether you have scans performed against your apps. Yes or no, what were the considerations that drove the choice.

Tim Worman
UCLA GSE&IS
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden

_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
References: 
 >question on security scanning (From: TW <email@hidden>)
 >Re: question on security scanning (From: "Michael DeMan (WO)" <email@hidden>)

  • Prev by Date: Re: Ajax problem with Wonder and Eclipse
  • Next by Date: Re: Ajax problem with Wonder and Eclipse
  • Previous by thread: Re: question on security scanning
  • Next by thread: Yet another threading question...
  • Index(es):
    • Date
    • Thread