Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internal attacks on web application

From: "Sven Édouard" <sven_edouard () fastmail co uk>
Date: Wed, 14 Jun 2006 17:01:22 -0700
You may want to use a staged or limited/jailed environment where the
settings are different so that live access is limited to very few
persons after code review of changes. You can force database passwords
and other important information to be different for internal staging
environment and the live site, thus you don't even tell any developers
the live passwords. Also, if you modularize the design, you can mirror
the environment exactly, except for the details you want to keep secret.

Sven



On 8 Jun 2006 16:33:07 -0000, krisleech () interkonect com said:

We are moving some of our products from tradional client/server to web
based applications. The problem is all languages aimed at building web
apps are JIT compiled (interpreted) therefore you have to distribute
source code or bytecode. Bytecode is easily reversed to code. 
This leaves us with a problem, the application and data are open to
internal attack. Firstly code can be injected (very easily in languages
like ruby), encryption keys can be read, as well as database passwords.
We have looked at Java, .NET and Ruby, all have the same problem, they
can not be compiled to native code.

Any suggestions would be very helpful.
Kris.

-- 
  Sven Édouard
  sven_edouard () fastmail co uk

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html
Previous By Date Next
Previous By Thread Next

Current thread: