Hi,
According to Xiom,Nothing, including computer software is perfect. A
software malfunction results in an unexpected behavior of the applications,
something we refer to as a bug. Such a bug causes damage similar to a
security breach including disruption of service or damage to information
integrity. When exploited intentionally by an interested party, such a bug
becomes a security breach and the potential damage may include also loss of
confidentiality. Naturally once exploited intentionally the damage inflicted
by a bug can be much more severe than if accidentally inflicted. Bugs that
are suitable for intentional exploitation are called vulnerabilities.
Web applications greatly extended the scope of the issue. First and foremost
such applications are Inherently exposed. Once everything became connected
sometime in the last decade of the 20th century, the firewall (referred to
here as a "network firewall") became the de facto solution for ensuring that
only necessary services are exposed outside of the perimeter of the
organization. Web applications are one of those services that need to be
exposed to serve their purpose.
However web applications are much more exposed than other externally
connected applications. Other servers such as mail and FTP servers are based
on software written by software companies and are relatively static. The
same mail and FTP servers, sans security updates, serve us for more than a
decade. The number of vulnerabilities is getting smaller the more mature the
application is. Stability also means that security becomes more important
than additional functionality and makes it easier to follow an orderly
development life cycle and ensure proper testing.
Finally, being widely installed, many people can test the security of such
servers before the hacker finds the vulnerability.As a result, the
prevailing security measurement for public facing servers have been the
intrusion detection and prevention system. Such systems are based on
signatures that match known attack vectors limiting exposureto only the time
frame between the time the vulnerability becomes known to hackers and the
time the signature or patch is issued, which is short if not negative.
For further discussion of intrusion detection systems refer to the relevant
chapter.
*Web applications are very different:*
*.*Web applications are unique to the organization, each one exposing its
own vulnerabilities, reducing the effectiveness of known vulnerabilities
signatures.
Web applications can be and are changed frequently to adapt to the business
objectives of the organization, making maintenance of an orderly software
development cycle hard.
Web applications are complex, objectively and subjectively. Web applications
are event driven due to the web paradigm of client server interaction and
many programmers just don't understand the flow well enough. On the other
hand web development is considered simpler and therefore less experienced
developers get to do it.
As a result vulnerabilities in web applications account for a huge part of
real world information security incidents and virtually all those related to
the data center security.
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
