Re: Internal attacks on web application

[André Gil <andregil () di fct unl pt>]

Hello.

Actually with .Net 2.0 you can distribute an web application as a DLL.

Although I recommend you to really push security on the applications. 
You're statement about encryption keys being read as well as database 
passwords violate some guidelines when doing security on applications.

Never store sensitive information. If you must don't store it as 
plaintext. So with encryption keys and database passwords, protect them 
as hard as you can. Connection Strings in .Net can be encrypted and then 
decrypted when used. For securing the encryption keys rely on the 
operating system features.

Even when using encryption keys remember to lock the memory area where 
the encryption keys are temporarily stored so they won't be written to 
hard disk in event of a page fault or something similar.

Anyway, I think you should really do a risk management and see what do 
you have to protect against.

.Net 2.0 will solve the problem, but I don't think you're approaching 
the security of applications on the right way, because obfuscation 
should be used carefully, and only in special cases and at the end to 
add a somewhat very easilly breakable perimeter of defense.

As someone used to say, "If you can read assembly, everything is 
open-source".

André

krisleech () interkonect com wrote:
> We are moving some of our products from tradional client/server to web based applications. The problem is all languages aimed at building web apps are JIT compiled (interpreted) therefore you have to distribute source code or bytecode. Bytecode is easily reversed to code. 
> This leaves us with a problem, the application and data are open to internal attack. Firstly code can be injected (very easily in languages like ruby), encryption keys can be read, as well as database passwords.
> We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.
>
> Any suggestions would be very helpful.
> Kris.
>
>