Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Web Application Security Woes



 By: Timothy Dyck
2002-09-27
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
eLABorations: There's no vendor testing or patching process for many vulnerable Web

Security always comes down to securing applications.

The whole point of firewalls is to hide internally deployed network applications—assumed to have exploitable vulnerabilities somewhere—from the outside world.

The main weakness of firewalls is that they are based on a one-application/one-IP-port model, something that worked in the pre-Web days but is completely inadequate now. These days, most application data flowing through firewalls and over network backbones is on HTTP ports 80 or 443.

Resource Library:
Thats why the main burden of security now falls on those who maintain Web sites and on those who write Web-facing applications or Web services. Web applications are highly vulnerable, and since many of them are both one-of-a-kind and internal, there is no vendor testing or patching process to help with the security burden.

Writing secure applications is a matter of understanding the issues and writing defensively to anticipate the kinds of attacks that are possible online.

While there are a number of good books on this topic, my favorite online guide is the Open Web Application Security Project, and its updated compendium of advice and best practices on writing secure Web applications—Version 1.1 came out just a few days ago on Sept. 23.

As eWEEK works on further coverage in this area, Id love to hear about your own experiences with secure or not-so-secure Web applications.

What are the issues that often get forgotten? What parameters werent value-checked? What sneaky things did crackers figure out about your site to be able to find a hole? Id like to share these things with other readers to help everyone learn, and will keep names and companies anonymous if desired.

Web code security woes? Let me know at timothy_dyck@ziffdavis.com.



  Reader Comments: Web Application Security Woes
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Timothy Dyck
 


x}r㶲s\@♵M"f4%X+eikRJEĘ"Hʗ'ˮO7t%3qOM@ht7F;?;;~$rLH56%3E]"I͝{#Hp(IFA)v@=4wݶ&N`P'~ 6 \L|N 2wx@vDʒ)&Ӱ5Y |+[3}BF6\3b ھI_MMJDERzGEQݓ-Dm:]'7*ޣ,#7 ݙ8/d_b[Aq<5i;;z~;BZ&QuVVٮq8]b#0+#O3 ֱRQ(0B.ĄCChI%۝_I@ؒ&4hm5b#b=w^]õ]R,RՌeCst=POMҷB]LH6}l~8MjQOK.mZNT_'@;)|E['0歭_ϫ|tfs< s~3 CoZ KUKozcn>LjZuL}:n-EӝÌfؖqSth(͡u(~]rL.-g~oTzEÝ1+U_t. $QwÑ;7ܖӝua(^w: Owy@α[A~N7" DT-jR*D@{aBjLha5 u P程T畒A\7jy%R߯4E;J KHS Ә= (1N,ԑX:lji_ WW~ gGW)7b٘XC ji@$m zb#=Z VӓKION{Ws#)|v>5MP\ܱ¬8ڪV^`Cė6O^Mn[CEC0jr]R ~8>_4R;Ǥ uXO'_g90dN`mYn_H!O|T,,0UhfU x CX&%e"kh:u vysƊFzjRĿ"E/|P'X\[1P3Z$o K>Lr &Sk~$GU\Uņ]`)edFSiK3_^ʂ؃_΢1jNTwYQc'{D]-7Du,.ɺ*35-wft_wΤyn >^OHwS>aYyƺƻ EHY7-6I09qN}sQVHrRW_" r%(NM[ԑAplòDŽIzݿa AhgIy}FMk>ktI}XGxeuDyqj.3+ԍEhn΀H`Ni1[W |ۋRPIZ3xV=H:}n~5A%'@ -u'08wɭ5EPͻ#iy1&=զA{Tfg,ze}  l߽5#.ꖭ,T<ħܠ{ԁ.v9.WbA/h" DEMi@$P!$-4`r.= ŌP^HX-淋rP.o=!đtNܡZ.ߗQMf~FZ ׸z)zI)lΌe&zϏaZLdoW^, Uto35Muc}s_9ԴzO4mMhǖa{n]ym,`bʄD$%LE;N't3AP~wCoBEEw[J0aFiŬ9gEy5>T ͜Y,1%&B~aZ&4B 7uXlEA\'1nUC\f;aMv"Vv6`zT4fSHڶMS}77Bs݈C/2 W.Y 2gxRUfyQtʜ*PX3n26=MJ<§"ǰAP7oZp(^\IIcНj!D xl\6ƖuV"k̲X]ۼ/ 7ryO4 uK{2,F6@Qٖk ,:+}:K_iHH*E6@\Z1,c %>.1A/aڵ(_OpSo{:!jabE3%UV F&,mk9VaUsV@6d@7h`L DolVCbx9ZǮAwmK{zl.>q (*l|R 7u'JiX$l M=t&<$2.|N\,/0CVšk?j GL[QZ{}cThb8lX:uosj1هI 4䧢RVJ! D ȸla,Caڴ *;vm۽G Zfdy +JЦIr!9 ֈI81']g* ĕQa<~lL`n+n 5!70U# TK=:>Ħ4Q{ /)J%Ew` L] T< ty[ :6.w\](DrIab D$*UtH`m`R@:khRUxB@^q~WJI:NdԘh>S7͏P)gh9d*>'HZ+j*Zj7;*Aq[ q@'|a_ћzř1FtY57A_!l^R`s||ujN8edCe@3& z-Cj9ajv2 N#3hh { V{YPjVR=4xFs܇1"wክ5T;NGw jVJ)YU!bW hĞf~kgayͤn[>|lsHNqDL+sPRsQl X@l̬k!@:a۴q:&G216"j` |sUʩ,TΩ,23 gg]b-o]9e>c'Z\c7!2Z$t#n=_"wsԷкMkls Gq33"nLt"#Z"tֳ>^#2!=z%~~[q{;IL=ey\TJRճ(I$ [2t9t=d}{c5Z:<*Cz)ϣDʜiߐ@ڨO( ]k88ŤX[Lv迌2KGɭTSV<Z6~ZoaqVZʡF3HUdEMkoȧ5rv=HG~ W>UAT?CUiZe%%~!FpimyB֒%3qܻB8-ܟ`"@N|C!ZO]T%R2i$z%%hKg o@PlXC=B3tMnik[k21`I3I9`{iK4c3=Cnƍj*\$T+IjYxf:PnȄOG[upM\&|J皿E30| Ͽݜw9sC >Li7I}MVJ٘H2M#u(L!ٯ1|\$P? ]V(R za: 2w>y?'l{H #nB+,U.n_B&G+#I x]$ ӄ;}"[Ta3 111u?|۽ j%l * NSq-Κd2;?R;'R6ib xȄyut'_Awqk;qa^+{;,U.š HHW'RGQ^9f K RCbv}Wrzlt.>HW m}:<.dhT7Nus!^>ICr޹hKV'KQ~\CR@!pWv*:f3ڌ6NJ $Z_=0<;&/!mM@H}]8_k5c-MgnܓS&aF`6~YQx~WX* ̄|CCj/(@R`OH[%#N:vVfp="B4X 1te"(BR.IHOg4}ܻjq# lo}A_/Kw?J ~_!c/Mp<&m{pJqk';#$GyS`Ӈ s;)di!ꜱr7^{I .U>R2MĔyk.Nm [Ot1ݻQLsS.p$-Zbe^nKlx0c)Mz.p+|Ljk'iZVӼ6X(4%4TNԌOCYF*d=7' ҿl]lpPpoS6 PuX<:Rp@D2às:&AB|Hymϣ#:*VZZFZv*'?v% L8a=!h QؕrVTZT^Jlw7sp=q"?h9c7:ŎNjvʌW!Ca(v, مFf5!WC1llyRеldN-Ɣ `sBk;GR0x&TtEwy'(" ((\ ;8J-s;-!'=r}EZg QW}F)}G7o62}2JO$o~QOovN{m,da}?H+ɶFO r4M1hG4vdLg!I )VzU7`9ʜ9%/+dxrt2cעI/ov(fd~\:pCҠ%ccmf}ݸw[1riÉfwo!KP,I.=]f+wQȤ[](f_,,R骏v9c|Me-/^RIR>^'߫$"h h6vo"Y!0N Ħ7=12~1_O}rmGMA U h Cl {g ЇG !4T8xl|nwcLlll41RШo!qlf8W ;N( ֱVاe_7zkVy} rx|Svz7_7c\PF<)2W/6o,).w?Pg=."7(S/4 FK[V]:lMo %n:x-F-튪yDu2jI `&FO7F[pn\Bs|bbh1?\rƔt1!O ͧn_Gzy8£)4;w{:lEA:X-G!rt[uZQr%q GEHg<AK1?HA6tRc׭sӨQ5~:O'F)9h/x.<q"hͧnwD ]haI X+@2L`Gui}\|2ZS*dH΁S3@`k>ƈNP=H}IͮNXs(_RCAWAgXFM w]!Q pxׄb5L%Jf1Bؗ*aVj1ԏvZ%h n¤#w܍RSdq̣)S2E!WH+JB),ț yZI-'!/iM5+&l"tYD(ִ˃5e5e7Xgl7k<6xru1}0ȺMph=g>,W+\tGJH-N]{>a]A*WZCR*VVBx%U"Z"ᢓH!q5P_m^KmJ/NI PƖ? Pl+KP=AVTC1l&l&[+@ROKRe#I\rWO5rHNOWaI=Nst#L&3vy(]Wgl!u@ZZx݀@d 6઼zULwXL!U/KC|7eK1K,[jQ#= VhRCWyԑh*ժDq8Bor*б?9䪫⚁H%1<;RkçZVsIU# akץ<zs/hbQ-\;cPg k4MtB\ͮͮͮͮ5MVoWO՗7+"Ǻ?H=IsGs[،?E3eʋ3 % x$' <qU[?0ԜP1?E)<+'ݐ^`.bUFk=>3.U@F 9 ]XAg1lҫ4Wp|^p,蹯d&=b# jnXԏ$kQ $pH p6}U1DD8ؾͭlH /oQ  nLo$K-U'/K-'`.UK}6r׵RV)k)^)娒%=JZ[־0Nl^ ͗Β]ڔɽ2222_-S-WmˌԲuaqtI]fK96pM}Q(.LU7  }q WEܶ6IH9n>sUIBO3`8f5 =wf5#Čz~e ws"9Zwpӌ*Dg𞸸]iOf.E;%4;g &Jnd`^; b sܲk9b9F ^gzzqv3ğ8?콮Gu)_TwJPȓR 8Gfx-]ǻ(aE#uL׭knk[:T4}o30$AKR}:Bى4 aU}D/4Q PO|F~Mr5AEqUygН;ee~sy]C a|Je_i_g[5\\s= Vk\W{Iw%4}:^͝IzmM/ qtU;:۬7oǰLHvjcm'㹙t=|6-b-M*X6̎5>kœb{ ˢ/ƞ}:soRy,ˡ rblC؆_qYf-0kĚ_Q-i錂ql d/f3ƚi< m~'m&UR P2 ,>t5.F3h έko0 MLłe^]F³ʶ%1A dm/'IlǰM别\1Y ,Ñ@t}sQ@ ! !L7iJ5ntP F4&N-§EpF}Oj{ esWIYe2+woԍ,g'LD5* I7~VG}K:iL҇Oo/ 2â۴=$LE]զ l1a6!:i&MqSW8G~RJ~~'z`<u'<~'&&Ȣ#>ybq/KI)?ƅ(q KLg[@9nn\_/O`+5מS|?7]HU6^ۏoTŢW@#.kX4ձ u8}dd  PYݣ\ۦ;MRDn|Q]PôŎL]Y aJfad]}$FlE߽cD8h긶"[aX7ï+ [#rh!@ ,%oL"%(wE0ě:hD^dbɤ؛7K fןRףxQ}Ό"F$xr"*]sNnvժJ]]͹N?P. ]Z˽XjuV%.g{VH=ܚ&aOE($+3H>PSZ]`UH*4@8k1 =nZ:n<VULx"y?L3=uzXU){̴u5jY<5WSYzܽ9j<1xfYj*pa8ufu=ԘrwE8e6R cszqT;vdZl3L´OA*d 8IVuק6̽KťMDF0J j%V*C/CzQM^ +5Mj}r %+3!:gfB\i|kM|5@CO &ړ{zy岶_U2=oOLBa}X2SkOYva|X>PP.%(7zv yCNcˡ/0UKzpײ}#X]B+&Ǯ)XC @/0s{YMF^]5X$lOHuWIkmr9ݫ9?3\<#Թ|I^tbS{=s$">Nqiqo.04`1q<>3K :K5,?K)m#aiC^ C*g=+A" )e*F&#Zikxo< 5cp#E & <6K$Adȇ5T?Ose~f{BJ{=Lm~C#hM-ãۙ|U:i|%wRWlΦ!𫥏s2%W0OAnldU{V~Kb;{r h:MQx\J5 Ua>m[=~}LfROaFgLN!_ _ݰ,VI myd72[ $}ZĮ,H1&I}n꜓u=haGp(-$=:mGL(C7t؟!/@vq^ s@9P"aKOvI1u#e#.7,>q75t$rE!ioF立RWJƈ\䐟ÈGs[]QED8Ŵ c 41GH[1~gMNs XҚ0!<\NA}symDRRia\b05Lx19SӖ{bC{cн}|u.#@ l!1g昱OiX$_яRB/%H'U,%ݗ)6qY@y#DLMzD!kC1P?5DJ·:_𶿹fFé :laww.Bt揣ϼðq7]ށ@fVpRt=:]stԨ*ʞ <򽉑{0u9@)s!aR;:$_|LR] $BqнӜ^ZY oXֿ2 >Up4S~}< vԼT:rٮ..vstsӅwsg賛Cȣ9r ,'.wsa|/r".`.rƯ崿#z _z92>.eN+C9C9 ro/H@_sK}'ߧ]Cu^:u^C9_]_zy[9|ֺą)ryC/ ȋUৼtXB]!=GUHϡXi7{9Zee+B99^}NNF*/Iz]!4.5Pg[k /Y3ݲ*Iլ m }}}P Byek22AQ𰐲FgE6eۏMY[,Oмz'JJܓs+Z`~H逷\]d}+c|UfE+tj12<=s֢@+zEk050ZqF`~Ug} !>:YĞl!lq< 5RQu8 % {Q&ƀ;'(Bhظ+jzG|jpOpܣ17LհC$ R#ij~jZ)~#\!a،p=bUUEVjrp` VQ*D`I:Cdx|D!*eiث,91C=b;8[^+wp Eϟ Ч :v̆&ba"Jj"EaSOp^'Wv$` }3wPsgqq=u] XJe*<ZA0ǘYϤKTl!&ήwu`ٰ;#ӄ[Lb,!eނx~l4QA[TDr(9ǏԦa{f'Շ7սtL$pgB-ҋKM@e˺U&ˣb_. 5tP@2nv–1*\G'!oNLn6_N̓[ 3do@r9=fG.^d" #tuy9L"rʃNU ͔ca]m8ubTm,o|X v;n\hX, $ fLe~1$Z_\g AL @I`1@ËR,i_l7g@oaXmt(RVWBD8s2&QDnCr g>Փo AnﺳcX]=Qg ~*,x`Sqc͘]%u'14_6GN*L/0DOqtgD L n`[>/A>=Lgn|0'+xTb;`HIاlPgJ6Nhp`g 0, 6 郇rIB+.Ġ/>''TWBMxXU7gM&;"Д0v]~/Ļ(GF >OzKF2jSo:}r;sake-"mԵ[E/F\gHQ*x⥎ϑ9E*Z؏7V2sL ALH\(2m-Eǝt};{/d-+2dХv5%k$}HdRͤ_[=$sDJbE)۠(b/ YJ>= T@| %\6HDRg}J0N:mv8e avwj9ceu-s0ŴBShJ ,(O?'knGLk,>iЄ.^p멎PhU|A>1Yv/-(G,J~Q.5 7tle @J6 >m73T| <%` GYU`ZKr ǩk[Vmx{ w}u+y!I1 fɟ]챺WIڶ7(G,cݰȰ-`jkDmYtẁA<۶w&׶Ldؖ׶< Xè+vf$Ѿs,a|X oV|޸+no=Ȉe6\g0^n`,eL۾WaYX&5$V3/ϵNى\׹07L;̋lyEx%e2crACb 0F :Eb|̀3 }JP]oXGۂvՍK׶S|"[<.ǮL xOxNž=Sf}'s)SL_1K?IG\h`ʢ8b{@T,v P.i9|]*'꛺VE/(?!2T"Vxv`Eqwş7{l~ )#Us̹D/TR_JC\qrx6 }Tbr$XX7a66̈́ ]&ŮMvesvRG+