RE: Re: applet security

["Andrew Chong" <andrewjw () singnet com sg>]

Honestly, most auditors I encountered doesn't really know what they are
asking for. They follow a checklist either BS7799 or Sarbanes Oxley
(SOX) 2001 checklist and tell the users what exactly is written. Most
users will not have a clue what they want. They just gave the auditors
read access to their company application source codes repositories and
documentations. However, this does not solve the problem and this email
thread is one example.  

Your auditor checklist for applet.
•       Verify that the use of applets is restriced only to development
networks and not permitted on operational networks.

Firstly, does your company policies disallow the use of applets in
production/operation environment? If so, you have to move away from
applets.
BTW, Applets run on client-side. Servlets and Java beans, run on
server-side application server. (i.e Websphere, Jboss)
Check with the auditor if the statement "Applets" in his doc refers to
client or server side. I bet he doesn't understand what it means in the
doc as well.

•       Review sever-side includes and active pages;

This refer to the #include statement in ASP, JSP and APX codes
i.e <!--#include file="anyhow_code_database_connection_strings.inc"-->
The auditor has to do a code review himself to see if there are database
password and ids being hard-coded in the .inc files.

•       Look for connections to back-end databases

Give your application documentations to the auditor. The application
process flow will indicate if there are back-end connections to DB. If
there are, so what? The auditor need to explain if the company policies
disallow applets to directly connect to DMZ2 database. Must there be a
application server? Btw, client-side applications should not connect
directly to your back-end database.


Finally, I'd suggest you answer the question in a more holistic overview
of your company infrastructure.
A few question to consider.
1. Do you have 2-tiers firewalls? (DMZ1, DMZ2, Internal network)
2. Do you have Intrusion detection system? How often are the signatures
being updated? (IDS)
3. Do you have application firewalls behind your first DMZ1 firewall?
4. Do you have Anti-spyware firewalls? (i.e. Bluecoat)
5. Are your webservers patched with the latest patches?
6. Are your webservers installed with virus scan and signatures updated
as well?

The above are your technical controls for all your webservers from a
infrastructure perspective.

For application security controls explanations; if really needed by your
auditor, I'll give more details later.

Hope the above helps

Regards,
Andrew Chong, CISSP

-----Original Message-----
From: test.future () gmail com [mailto:test.future () gmail com] 
Sent: Thursday, January 12, 2006 10:13 AM
To: webappsec () securityfocus com
Subject: Re: Re: applet security


> Maybe it _calls_ server side code (by hitting
> urls or other channel), but it doesn't run
> there.
> Maybe they want you to put "controls" on that code?

If that really is what they mean, what controls can be put in place to
mitigate the risk? I can think of input filtering and validation on
server side code to defend against buffer overflow. Any other measure
besides this? 

I don't understand what they mean by "environment attacks". Any one can
share some thought on this? Thanks.

------------------------------------------------------------------------
-
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
------------------------------------------------------------------------
--

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:
1/11/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:
1/11/2006
 


-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------