Thanks for your comments... just a reminder that "application-layer
security" products can be considered "out-of-the-box" also. Just embed
into your protected applications and run!
-----Original Message-----
From: JAMES N. BARBIERI [mailto:JBARBIERI_at_HANOVER.COM]
Sent: 21 mars 2006 16:27
To: George Capehart; Stephen de Vries; Andre Maisonneuve
Cc: bugtraq_at_cgisecurity.net; webappsec_at_securityfocus.com;
websecurity_at_webappsec.org
Subject: RE: [WEB SECURITY] How to Create Secure Web Applications
withStruts
Also worth noting...adding additional application-layer security, on top
of the "out-of-the-box" security adds additional protection against "bad
guys" who can & will focus on ways to circumvent the Struts-based-only
mechanisms...
>>> "Andre Maisonneuve" <Andre.Maisonneuve_at_validian.com> 03/21/06 9:24
AM >>>
A very interesting topic indeed!
An alternative to installing security in the web tier is to install
security directly into the applications, so the security is controlled
by the application itself, so it simplifies the implementation of the
transport of data through any mechanism that you want to be installed,
without having to worry about security. All data going through the
intermediate layers will already be encrypted and will only be decrypted
at the receiving application.
Regards to all!
-----Original Message-----
From: George Capehart [mailto:gwc_at_acm.org]
Sent: 20 mars 2006 22:00
To: Stephen de Vries
Cc: bugtraq_at_cgisecurity.net; websecurity_at_webappsec.org;
webappsec_at_securityfocus.com
Subject: Re: [WEB SECURITY] How to Create Secure Web Applications with
Struts
Stephen de Vries wrote:
>
> Great article!
<snip>
>
> It may not be a big issue, but I think it's important to understand
how
> choosing the web tier as a security provider could impact the
> extensibility of the app down the line.
Hola All,
There was an interesting thread about a very similar issue (Is there any
Security problem in Ajax technology?) not too long ago on sc-l . . .
Thought
the comment made by Yvan Boily was particularly insightful.
FWIW,
/g
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 22 2006
Intro
