Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle and Microsoft Weigh In

    By
    eWEEK EDITORS
    -
    December 2, 2002
    Share
    Facebook
    Twitter
    Linkedin

      After the conclusion of the OpenHack 4 project, eWEEK Labs West Coast Technical Director Timothy Dyck posed questions on enterprise security via e-mail to two of the people who helped harden the test applications: Oracle Corp.s John Abel, principal consultant, Oracle Technical Architecture Group, and Microsoft Corp.s Mike Kass, product manager, .Net Framework.

      eWEEK: What are the most common security mistakes IT staffers are apt to make when deploying Web applications?

      Microsoft: Failing to plan for security in the original design, including developing processes to keep up with the latest service packs and patches; failing to follow published best practices, such as always installing the latest patches, turning off all unnecessary services, ensuring that all passwords are complex and nonobvious, and adhering to the principle of least privilege; failing to expect failures or to practice defense in depth. For example, it is not enough to perform only client-side validation; all input must be validated on the server prior to being sent to the database.

      Oracle: Leaving default operating system or database passwords on accounts; leaving demonstration files installed on Web servers; not removing all unwanted files. It is amazing when you access a “hardened” server and find, for example, three versions of Perl installed. Also, failing to lock down ports: If a Web application requires only Port 80 and 443, then just open those ports. People also miss bugs in application code that let hackers exploit vulnerabilities and fail to apply the latest security fixes.

      eWEEK: What aspects of the OpenHack configuration would you most like your customers to emulate for improved security?

      Microsoft: In addition [to the points made in answer to the first question], we would recommend using integrated Windows authentication to access the database, putting the Web content on a separate volume from the system volume and using the Internet Information Services Lockdown Tool and URLScan for IIS 5.

      Oracle: Remove “code” characters from data fields that could cause issues (characters such as %, <, >, ;, + and “); always send the user to a generic static HTML error page whenever any type of error occurs so that youre not providing hackers with any information; set the Oracle Net Service Listener to restrict database connections so they can come only from the Web server; harden the Web server to remove all unwanted code and configuration settings; encrypt secure data.

      eWEEK: If you could change anything about your OpenHack configuration or code to further improve security, what would those changes be?

      Microsoft: For an additional layer of security, we could have stored salted hashed passwords and used a challenge phrase scheme for password recovery or reset.

      Oracle: For the secure pages (for example, once logged in), we could have used a custom user manager, which would validate that a user has been authenticated before accessing secure pages.

      We could have also added in a session challenge number to validate page flow.

      A more major change is removing the logic from the JavaServer Pages and adding it into a JavaBean or Java servlet so all the JSPs are doing is generating a user interface. This means that the module can be built up using shared methods, which provides simpler code and a single place to fix problems.

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×