On Web Applications Security (Updated)

Written by Arthur Abogadil | 03 May 2010

Gone are days where application security is just confined on providing a good login/logout facility with accompanying rules for authentication and authorization. Today, every developer must be familiar on the most important security vulnerabilities being discovered. I say every developer because dealing with security is not just a responsibility of the Systems and Database Administrators anymore; even the Frontend/UX (user interface) developers now have their share of responsibility in crafting a secure application.

SOME SECURITY INCIDENTS WORTH MENTIONING

The Recent Joomla Hacking Incident - Joomla is a popular open-source Content Management System (CMS) engine that is useful if you want let you clients be able to add and edit website content even without knowledge of various web development technologies such as HTML, CSS, and the like. Joomla is a popular CMS engine, last February 2010, a report from the Joomla team mentions that it has been downloaded 15 million times which means that a lot of website is running on it right now. Security-wise, whenever you are using an engine as an important piece of your overall site infrastructure, you should always check for updates and update your site after testing that the update doesn't break anything in your site, forgetting or just not caring about updating your website is planning for trouble. That is exactly what happens in the Joomla Official Website itself, after doing a site redesign, they forgot to update one of their site to the latest Joomla version, the result, their site got defaced. Read about the incident here.

GOOGLE, ADOBE AND 32 OTHER COMPANIES WAS HACKED

Just when you think it was impossible, a company as large as Google and Adobe are just some of the companies that would have software and hardware setups that we can only dream about, but computing power doesn't normally goes equally to how hardened your systems security-wise. Being in IT industry for so many years, we are jaded enough not to be shocked, and of course the Google hack is an ultra-sophisticated attack that hasn't been seen outside the defense industry. But still, it will just be common for normal business owners to be thinking that if companies with high-end hardware and software setups such as Google were hacked, then small businesses with very conservative setups can be hacked too.

SO WHAT SHALL WE DO NOW?

Well, there's a lot really, as a start if you are using one of the popular CMS's for your website such as Joomla!, please make sure that you are subscribing to their security advisories. For Joomla! it can be found here. Also, make sure that you check Joomla!'s security checklist before deploying a live site. Other popular CMS such as Drupal also maintains a security advisory section in their official website.

Speaking of security advisories, some of the most important that your programmers should know are the SANS Top Cyber Security Risks and the OWASP TOP 10.

One blog you should always check for in-depth info is Jeremiah Grossman's blog. And of course, who will not know Bruce Schneier, still waiting for my copy of his Cryptography Engineering Book, i'm looking in your direction Sir Ron. If you really are into learning, you should always try to watch proceedings from BlackHat.

 


UPDATES:


Google Released Jarlsberg, A Web Application Full Of Security Vulnerabilities

No, its not by accident, they intended it. Recognizing the importance of educating the web developers of the world, Google released a sample web application that contains many of the most common security vulnerabilities and posted a guide on how to dissect it. This is a good contribution to the programming community. Read the guide here. One news that is not good though is that one of Google's primary web app, Youtube was hacked recently using an XSS vulnerability which was already explained in the guide, read about it below.

Youtube was hacked yesterday, (July 3, 2010)

TinKode discovered a cross site scripting vulnerability in the comments section of the Youtube video pages and posted it on his blog. One popular group of internet pranksters then used the disclosed vulnerability to attack some of the videos posted in youtube. Google's spoke person announced that they have now fixed the problem. For the technically inclined, Mikko Hipponen of F-Secure posted a tweet on how the vulnerability worked.

Read the news article here. 
http://news.softpedia.com/news/Dangerous-XSS-Bug-Found-on-YouTube-146157.shtml


Ok, that will wrap up our first ever post for OutsourcingInsight.com! We hope that you will find this post informative enough. Please check regularly for more updates, we will be posting follow up articles on Security on the next series of posts. Let me end this post by a quote from Bruce Schneier.

"Good security systems use multiple measures, all working together. In the end, systems will always have trusted people who can subvert them. It's important to keep in mind that incidents like this don't happen very often; that most people are honest and honorable. Security is very much designed to protect against the dishonest minority. And often little things -- like disabling access immediately upon termination -- can go a long way.

- Bruce Schneier, The Meaning Of Trust - The Guardian - April 16, 2010



 

Comments 

 
+1 # Coding Recipes 2010-05-04 07:31
Here's a link for creating secure php app's

codingrecipes.com/.../
Reply | Reply with quote | Quote
 
 
+1 # CodeLust 2010-05-04 07:59
My 2 cents, for asp.net applications:

msdn.microsoft.com/.../...

and

novologies.com/.../...
Reply | Reply with quote | Quote
 

Add comment


Security code
Refresh