All- It's true that there are plenty of ways you can program a security whole into your sites. I feel it should be Witango's job to help where it can, but also to allow developers the flexibility the require.
One item that I've been thinking about is how to handle <@ARG encoding=meta>. This is potentially very destructive since it allows knowledgeable hackers to pass executable Witango code into your application, which it will then execute. Using DirectDBMS (Custom Queries) is another potential problem area, with respect to SQL-injection. It's always best to use the <@BIND> tag in these actions so that data is passed in as a reference rather than value. (A tag I'll be improving) One thing that Witango doesn't suffer from are events like buffer overflows and the like. These types of memory misbehavior are the primary way that hackers exploit a system. Another area that I'll actually be spending some time on to make sure it's solid is the communication layer between the Client (Apache/IIS module) and the Server. If not handled properly, it could be weakness. If anyone does have reports, either explicit, implicit or even just a question regarding the security of running a Witango site, please bring them to my attention. Robert -----Original Message----- From: Fogelson, Steve [mailto:[email protected]] Sent: Tuesday, March 08, 2011 4:38 PM To: [email protected] Subject: RE: Witango-Talk: HailStorm Hi Paul & Robert, I have McAfee Secure/HackerSafe test my eCommerce application on 3 different websites daily. 2 hours at 2 tests per second. 6 hours total. When I first started with them a few years ago, I had to change a lot of things in my programs for mostly cross scripting and SQL injection. Things I probably should have know in the first place, but I got it figured out over the course of a few months. It has been running great since. Once in a while something new will pop up, but it is not with Witango. Just something I fix with my code. Steve Fogelson -----Original Message----- From: Robert Shubert [mailto:[email protected]] Sent: Tuesday, March 08, 2011 3:10 PM To: [email protected] Subject: RE: Witango-Talk: HailStorm Paul, I haven't heard of anyone doing this. I host a few ecommerce sites which are scanned by the usual PCI compliancy sites that are out there, including witango.com, and they've never found anything of note. If you (or anyone) wished to conduct a test of a Witango application, I would certainly help evaluate any problems found and quickly correct any issues which were linked directly to the Witango Application Server. Security is something that I think about often as I design new features and improvements for Witango. Robert -----Original Message----- From: Storey, Paul N. (MSFC-IS30)[MITS] [mailto:[email protected]] Sent: Tuesday, March 08, 2011 2:47 PM To: [email protected] Subject: Witango-Talk: HailStorm Has anyone used Hailstorm to test for vulnerabilities in a WiTango application? If so, were there any issues that were related specifically to WiTango? Thanks!!! ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body.
