Re: Internal attacks on web application

[Adam Dyga <adeon () tlen pl>]

krisleech () interkonect com wrote:
> We are moving some of our products from tradional client/server to web based applications. The problem is all languages aimed at building web apps are JIT compiled (interpreted) therefore you have to distribute source code or bytecode. Bytecode is easily reversed to code. 
> This leaves us with a problem, the application and data are open to internal attack. Firstly code can be injected (very easily in languages like ruby), encryption keys can be read, as well as database passwords.
> We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.
>
> Any suggestions would be very helpful.
> Kris.
>
>
>   
Well, probably you misunderstand software security issues. There is no 
difference whether you distribute your application as source code, byte 
code or compiled code. This is (usually) a way of thinking of Windows 
oriented people - they think that if the source code is closed then its 
more secure. Unfortunatelly everything can be either reversed to code, 
debugged or reverse engineered (even at assember level). If you keep 
your passwords and/or key in a plain text, they can be read from a 
binary files as well. If your source code is secure, does validate all 
input data properly then the distribution form doesn't matter. You must 
design your application with security in mind and implement it in a 
secure way (forget about storing database passwords in web /server side 
scripts). Although it's harder to create secure applications in some 
languages, I suggest not to think what programming language/platoform to 
use but learn how to create applications in a secure manner and let 
appropriate people implement them.


Regards,
Adam Dyga