Re: Internal attacks on web application

[Bob Jones <lists () pavlodarproductions com>]

Just a couple of questions/suggestions from the old school days (circa 
'98-2000).  Have you looked into compiled server-side Java servlets and 
compiled C cgi apps (in a chrooted apache jail no less)?  I would think 
that with proper error handling -- dumping invalid page requests to a 
"naughty naughty" type page -- would safely handle the code injection 
attempts.  The downside is that these methods do not lend themselves 
very easily to today's 'point-n-click' and 'drag-n-drop' development 
environments, but instead are more for the notepad/vi/emacs crowd of 
programmers.

Just my 2 bits,
Bob Jones

krisleech () interkonect com wrote:
> We are moving some of our products from tradional client/server to web based applications. The problem is all languages aimed at building web apps are JIT compiled (interpreted) therefore you have to distribute source code or bytecode. Bytecode is easily reversed to code. 
> This leaves us with a problem, the application and data are open to internal attack. Firstly code can be injected (very easily in languages like ruby), encryption keys can be read, as well as database passwords.
> We have looked at Java, .NET and Ruby, all have the same problem, they can not be compiled to native code.
>
> Any suggestions would be very helpful.
> Kris.