WebApp Sec mailing list archives
RE: The Santy worm and Application Security
From: Paul Laudanski <zx () castlecops com>
Date: Sun, 2 Jan 2005 15:27:27 -0500 (EST)
On Sun, 2 Jan 2005, Ofer Shezaf wrote:
I would argue such as effectiveness measurement. In web site security catching many is not difficult as so many automatic exploitation attempts are carried out. The real problems are: (a) Catching zero day attacks (those that you don't have a specific signature for) (b) Catching targeted attacks that points specifically at your web site.
Which is why in terms of application security a multiple step approach can be ideal in the real world: - secure program practices - filter on regular expressions - use white or black lists - filter against signatures To help against zero days, well, one approach might be to take a look at what characters are allowed, and which ones are not. This is where the sysadmin must know the site being administered, and the requirements of the server(s). Continuing from my earlier examples, for some admins filtering the tick (') might not work, but then again on others it is never required. However, on those sites that might need it, the tick might be restricted to a single argument -- which begs the question, filter the tick site wide except for that single argument at which point that argument should get sanitized. mod_security, from a web security application perspective does a great job at this, and is open source to boot.
In other words - for you as a security expert with application knowledge it is a great solution. For an organization it is impractical.
Not necessarily. mod_security is in full force at CastleCops. Thanks to the articles I put up there, I've been contacted by organizations (private and government) thanking me for the code and how effective it has been in keeping their organizations up and running. I for one like the open source tools available in the market place today. It permits anyone to use them immediately without having to wait for purchase orders. In the case of these PHP worms, it enabled many organizations to install a tool right away which brought their servers back online. Then the most important step, is to ensure code is secure, always, keeping that in mind. Happy new year, 2005. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- <Possible follow-ups>
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 01)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 02)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 02)