Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 16th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,423
Default Systems Integration: A security focus for web applications

Bruce Schneier recently pointed out this blog post by Troy Hunt. Mr. Hunt wrote about a B2C site operated by Tesco PLC. At the time of its publication , Tesco's site had received little or no attention by their technical security auditors. Bruce found Mr. Hunt's blog post valuable, "...not because it picks on Tesco but because it's filled with good advice on how not to do it wrong."

I agree. Hunt discussed problems that are very common and occur with many, many sites. The bulk of the problems he atrributes to unconscious incompetence -- and that can occur anywhere. We can even outsource the problem to incompetent service providers. These problems are caused by a lack of attention (and/or resources) combined with a lack of knowledge regarding the risk.

One technical example Hunt highlighted is the limitation imposed on "sessions" maintained via HTTP. Cookies must be used, because HTTP is stateless. All of us use sites where session continuity is managed by trading cookies in plain text -- and these sessions are all subject to MITM attack. In fact, I'm transferring a cookie in plain text right now to post this here at www.daemonforums.org -- I can't post without it.

Another issue Hunt highlights is to pay close attention to the security of the complete chain of software used to deploy modern web applications. The chain can be both long and complex, and contain disparate program products and their libraries.


Interesting read, though I disagree with him regarding passwords vs. passphrases -- as he takes issue with my favorite XKCD comic. Mathematically, bits of entropy are key to placing brute force attack successes into sufficiently long polynomial time. To do that we need to ensure our randomly chosen passphrase words are sufficiently random to provide that entropy.

Last edited by jggimi; 16th August 2012 at 03:25 PM. Reason: typo
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Today's presentation will be on BSD systems. Ninguem Off-Topic 3 6th December 2011 07:46 PM
Chromium loses focus in text boxes kly FreeBSD Ports and Packages 4 19th October 2011 02:53 PM
Industrial Control Systems: security holes galore J65nko News 1 25th March 2011 08:42 PM
Best web browser for *BSD systems JMJ_coder Other BSD and UNIX/UNIX-like 92 2nd January 2009 09:27 PM
OpenBSD GUI Applications qmemo OpenBSD Packages and Ports 17 6th August 2008 11:07 AM

All times are GMT. The time now is 01:10 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick