Systems Integration: A security focus for web applications
Bruce Schneier recently pointed out this blog post by Troy Hunt. Mr. Hunt wrote about a B2C site operated by Tesco PLC. At the time of its publication , Tesco's site had received little or no attention by their technical security auditors. Bruce found Mr. Hunt's blog post valuable, "...not because it picks on Tesco but because it's filled with good advice on how not to do it wrong."
I agree. Hunt discussed problems that are very common and occur with many, many sites. The bulk of the problems he atrributes to unconscious incompetence -- and that can occur anywhere. We can even outsource the problem to incompetent service providers. These problems are caused by a lack of attention (and/or resources) combined with a lack of knowledge regarding the risk.
One technical example Hunt highlighted is the limitation imposed on "sessions" maintained via HTTP. Cookies must be used, because HTTP is stateless. All of us use sites where session continuity is managed by trading cookies in plain text -- and these sessions are all subject to MITM attack. In fact, I'm transferring a cookie in plain text right now to post this here at www.daemonforums.org -- I can't post without it.
Another issue Hunt highlights is to pay close attention to the security of the complete chain of software used to deploy modern web applications. The chain can be both long and complex, and contain disparate program products and their libraries.
Interesting read, though I disagree with him regarding passwords vs. passphrases -- as he takes issue with my favorite XKCD comic. Mathematically, bits of entropy are key to placing brute force attack successes into sufficiently long polynomial time. To do that we need to ensure our randomly chosen passphrase words are sufficiently random to provide that entropy.
Last edited by jggimi; 16th August 2012 at 03:25 PM. Reason: typo
|Thread||Thread Starter||Forum||Replies||Last Post|
|Today's presentation will be on BSD systems.||Ninguem||Off-Topic||3||6th December 2011 06:46 PM|
|Chromium loses focus in text boxes||kly||FreeBSD Ports and Packages||4||19th October 2011 02:53 PM|
|Industrial Control Systems: security holes galore||J65nko||News||1||25th March 2011 07:42 PM|
|Best web browser for *BSD systems||JMJ_coder||Other BSD and UNIX/UNIX-like||92||2nd January 2009 08:27 PM|
|OpenBSD GUI Applications||qmemo||OpenBSD Packages and Ports||17||6th August 2008 11:07 AM|