WebApp Sec mailing list archives
RE: Re: applet security
From: "Andrew Chong" <andrewjw () singnet com sg>
Date: Thu, 12 Jan 2006 19:17:30 +0800
Honestly, most auditors I encountered doesn't really know what they are asking for. They follow a checklist either BS7799 or Sarbanes Oxley (SOX) 2001 checklist and tell the users what exactly is written. Most users will not have a clue what they want. They just gave the auditors read access to their company application source codes repositories and documentations. However, this does not solve the problem and this email thread is one example. Your auditor checklist for applet. • Verify that the use of applets is restriced only to development networks and not permitted on operational networks. Firstly, does your company policies disallow the use of applets in production/operation environment? If so, you have to move away from applets. BTW, Applets run on client-side. Servlets and Java beans, run on server-side application server. (i.e Websphere, Jboss) Check with the auditor if the statement "Applets" in his doc refers to client or server side. I bet he doesn't understand what it means in the doc as well. • Review sever-side includes and active pages; This refer to the #include statement in ASP, JSP and APX codes i.e <!--#include file="anyhow_code_database_connection_strings.inc"--> The auditor has to do a code review himself to see if there are database password and ids being hard-coded in the .inc files. • Look for connections to back-end databases Give your application documentations to the auditor. The application process flow will indicate if there are back-end connections to DB. If there are, so what? The auditor need to explain if the company policies disallow applets to directly connect to DMZ2 database. Must there be a application server? Btw, client-side applications should not connect directly to your back-end database. Finally, I'd suggest you answer the question in a more holistic overview of your company infrastructure. A few question to consider. 1. Do you have 2-tiers firewalls? (DMZ1, DMZ2, Internal network) 2. Do you have Intrusion detection system? How often are the signatures being updated? (IDS) 3. Do you have application firewalls behind your first DMZ1 firewall? 4. Do you have Anti-spyware firewalls? (i.e. Bluecoat) 5. Are your webservers patched with the latest patches? 6. Are your webservers installed with virus scan and signatures updated as well? The above are your technical controls for all your webservers from a infrastructure perspective. For application security controls explanations; if really needed by your auditor, I'll give more details later. Hope the above helps Regards, Andrew Chong, CISSP -----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Thursday, January 12, 2006 10:13 AM To: webappsec () securityfocus com Subject: Re: Re: applet security
Maybe it _calls_ server side code (by hitting urls or other channel), but it doesn't run there. Maybe they want you to put "controls" on that code?
If that really is what they mean, what controls can be put in place to mitigate the risk? I can think of input filtering and validation on server side code to defend against buffer overflow. Any other measure besides this? I don't understand what they mean by "environment attacks". Any one can share some thought on this? Thanks. ------------------------------------------------------------------------ - This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh ------------------------------------------------------------------------ -- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date: 1/11/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date: 1/11/2006 ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- applet security test . future (Jan 09)
- RE: applet security Andrew Chong (Jan 09)
- Re: applet security Dean H. Saxe (Jan 09)
- RE: applet security Richard M. Smith (Jan 10)
- <Possible follow-ups>
- RE: applet security Jeff Robertson (Jan 09)
- Re: applet security test . future (Jan 11)
- Re: applet security Michael Silk (Jan 11)
- Re: Re: applet security test . future (Jan 12)
- Re: applet security Steve Barnet (Jan 12)
- RE: Re: applet security Andrew Chong (Jan 12)
- Re: Re: applet security test . future (Jan 12)
- RE: applet security Andrew Chong (Jan 09)