to spend on risk mitigation and security. Unfortunately most web developers
don't know where to look for information like this. Also doing a large
scale risk analysis can be expensive and time consuming, enough that it will
be skipped by people that do know how to conduct one correctly.
The things that we have talked about thus far are all easy to implement, and
free. You are using the security that is part of your database, and using
the security that you yourself build into your application. The encryption
stuff I wrote is freely available on cflib.org (all though I do need to
update it). Documentation on best practices is all over the net. Open up
google and look for web application security, or something similar. You can
get quite an education for free these days, I know I have.
--
Timothy Heald
Web Portfolio Manager
Overseas Security Advisory Council
U.S. Department of State
571.345.2319
The opinions expressed here do not necessarily reflect those of the U.S.
Department of State or any affiliated organization(s). Nor have these
opinions been approved or sanctioned by these organizations. This e-mail is
unclassified based on the definitions in E.O. 12958.
-----Original Message-----
From: Tom Kitta [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:39 PM
To: CF-Talk
Subject: RE: RE: Securing CF Apps.
It is a positive sign when so many people on this list recognize the need
for security in their web applications. The next step after acknowledging
that security is needed is to determine how much security is needed. We
don't want to protect 10c of assets using security worth $1000. Once we know
how much we can spend on securing our assets we proceed to security
planning.
In cf talk discussion thus we should look at easy and cheap to implement
security vis more expensive security implementations. After all, if we have
unlimited budget we could do something silly like hiring someone to watch
every request our website is about to process.
TK
-----Original Message-----
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:12 PM
To: CF-Talk
Subject: Re: RE: Securing CF Apps.
> 1. If your properly encrypting the url your going to change your
> seed (key)
> every request. That way it is different every time
What possible value does this bring?
>
> 2. By using plain text variable names your going to give the potential
> intruder a decent insight into your application design, and this
> will give
> them the ability to make educated guesses as to your other circuit
> names.
So?
> 3. The objection to using cfquery is multifaceted. There is the
> risk of SQL
> injection if your not doing the correct validation. If your
> errors are not
> being handled correctly you can give away table and column names
> in the
> error message.
So don't you think it's more important to handle errors properly than say
"don't ever use <cfquery>"?
Also should someone gain access to your file
> system they can
> build a pretty complete picture of your database from the queries.
> You
> can't do this when all you are using is Stored Procedures,
> especially if
> your variable names don't match your column names. Throw in views
> and you
> can obscure it even more.
You've got bigger problems should someone gain access to your file system.
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
