Re: question on security scanning
Re: question on security scanning
- Subject: Re: question on security scanning
- From: Kieran Kelleher <email@hidden>
- Date: Thu, 26 Feb 2009 20:32:37 -0500
Our credit card company requires PCI compliance and they commissioned
some security company to do periodic security scans on our stuff. We
did not do any special preparation for this security scan. All that
happened was my app ended up with a lot of malformed direct actions
being thrown at it by the security bot causing error pages to be
returned to it. The outcome of the scan was that it identified
versions of php, apache etc that had vulnerabilities and needed to be
upgraded ..... basically Tiger OS X Server fails and Leopard OS X
Server passes the PCI compliance.
http://www.pcicomplianceguide.org/
On Feb 26, 2009, at 3:34 PM, Michael DeMan (WO) wrote:
Hi,
To the best of my knowledge, your synopsis that the WO/EOF
architecture insulates you from many security issues is essentially
correct. Most of the issues in this area revolve around PHP and
similar technologies where injection and scripting attacks are a
huge issue.
For those kinds of attacks, the biggest thing I can think of that
affects WO is the regular old session hijacking via the URL which
can be obviated by creative use of encrypted cookies to ensure that
anybody who hits the app with a session URL, also has that cookie on
their machine with matching session ID (or username, etc).
On the other hand, there still can be configuration issues that can
cause grief - mostly the the public facing HTTP server(s) that your
WOAdaptor is running on - which although pretty much can be used
only for denial of services issues, are still issues none the less.
A couple quick examples would be like...
- is JavaMonitor accessible from the outside world? Obviously bad
news since JavaMonitor is subject to brute force password attacks.
- if you require login to your application (similar to JavaMonitor
issue), once password login fails 3-5 times in a row, does the
account automatically get locked out?
- if you are using HTTPS, is the web server configured not to use
weak / deprecated encryption algthorithms?
- does the web server accidentally have POP3 or something open on it
to the public, subject to brute force attacks, which in turn could
give somebody SSH access to it or similar? And once a compromise is
made there be able to use the web server to try and break into your
your application and/or database servers?
My background on this kind of stuff is primarily via small e-
commerce deployments, and have regularly used http://www.securitymetrics.com
for scanning to meet VISA/MasterCard PCI 1.2 compliance. Depending
on your needs, something like SecurityMetrics may be inappropriate,
insufficient, or over kill. I do like the extra peace of mind
provided knowing that servers are scanned for security
vulnerabilities regularly, and they have found both minor and
important issues for me in the past.
My 2-cents anyway, and I am also interested to see what others have
to say.
- Mike
TW wrote:
All:
I just had a meeting regarding one of my apps today with some
central IT types at our university. One of the questions that was
asked of me (for the first time actually) was whether I had run a
security scanner test the application. While I'm not so naive as to
think there can't be any security issues, I had always felt that
the many levels of abstraction in WO/EOF naturally insulated me
from some of these considerations.
For background, this central IT group is heavily microsoft leaning
- so they kind of live in a different world where security is
concerned and think they believe that the entire world of computing
has the same architectural considerations they do. Their question
was obviously out of concern that an attack could be crafted
against the app to extract data from the database. It's difficult
for me to imagine how this would be possible with WO/EOF but I may
have naively looked past this.
To get to the point, I'd be interested in hearing from developers
on list about whether you have scans performed against your apps.
Yes or no, what were the considerations that drove the choice.
Tim Worman
UCLA GSE&IS
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden