The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). The following paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.
Paper:
http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August 2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007.
The following article will discuss, step by step how to implement anti virus solution (file scanning for virus) in Java, particular in the JEE applications.
http://www.developer.com/design/article.php/3711331
The following site presents a taxonomy of software security errors developed by the Fortify Software Security Research Group. Each vulnerability category is accompanied by a detailed description of the issue with references to original sources, and code excerpts, where applicable, to better illustrate the problem.
http://www.fortify.com/vulncat/
This will be good resource for security analysts\software developers who want to know kind of vulnerabilities possible in different kind of languages\environments(ColdFusion, PHP, Java, ASP, ASP.NET etc).
Must visit website for newbie's in application security.
With today, I had completed integrating security in standard SDLC to prevent security bugs from appearing in released applications. SEI CMMI Version 1.1, Maturity Level 5 Process has been updated with security tests/tools/guidelines/templates to ensure application security is adequately covered and controls are effective throughout the development process. Following is the breif summary outlined here...Click here for download of following.
| SDLC Process |
Requirements & Engineering Management |
Architecture & Design * |
Coding & Unit Testing |
Integration & Testing |
| Entry Criteria |
Business Requirements |
Security requirements |
Threat model |
White Box test results |
| Constraints & assumptions |
High Level Architecture/Design Document
Use cases |
High Level/Low Level Architecture, Design Documents |
|
| Activities |
Determine application risk rank |
Create threat model |
Security development/coding guidelines/best practices |
Automated Application Assessment |
| Identify key compliance objectives |
Review/modify security requirements |
White Box Review & Host review |
Manual/Automated penetration testing |
| Define secure integration with external systems |
Architecture & Design Review |
Static code analyzer |
|
| Deliverables |
Security test strategy |
Threat model |
|
|
| Security integrated into the development process |
Security requirements in all defined components |
White Box Review Report & Sign off |
Black Box Review Report & Sign Off |
| Predictive Risk Ranking |
Architecture & Design Review Report |
|
|
| Tools |
Security consultant |
Threat Model Tool |
Static Code Analyzer |
Automated security tool |
| Security Requirements Review Checklist |
Architecture & Design Review Checklist |
Security Development Guidelines |
|
| Exit |
Test strategy approved |
No Sev 1 & Sev 2 issues exists |
No Sev 1 & Sev 2 issues exists |
No Sev 1 & Sev 2 issues exists |
| Responsibility |
Project Team & Security Team |
Project Team & Security Team |
Project Team & Security Team |
Project Team & Security Team |
Following java program will compare customer balance with minimum balance. If customer balance is higher than minimum balance then customer will get a special discounts.
//Integer overflow & underflow exampleint min_balance = 25000;
int cust_balance = (25000 * 25000 * 20);
cust_balance = (-25000 * 25000 * 20);if (cust_balance >= min_balance)
{
System.out.println("This customer qualifies for special pricing.\n");
}
else
{
System.out.println("This customer does NOT qualify for special pricing\n");
}
Try giving 25, 25000, 30000 as customer balance, the program will behave as expectedly.
If you change the customer balance to the following computations, you will observer un expected behaviour in the program due to integer/overflow underflow.
cust_balance = (25000 * 25000 * 20); //Integer overflow
cust_balance = (-25000 * 25000 * 20); //Integer underflow
What happend:
Java does not detect errors in numerical computations at compile time. Java type "int" is represented as a 32-bit binary number. With 32 bits, it's possible to represent a little over four billion different values. The values of type int range from -2147483648 to 2147483647.
When the result of a computation lies outside this range, the mathematically correct result in each case cannot be represented as a value of type int. The above two computations lies outside of the range. These are examples of integer overflow/underflow.
In most cases, integer overflow/overflow should be considered an error. However, Java does not automatically detect such errors.
For file upload in your application, one important thing that you must consider is security, as improper design and configuration will make your application vulnerable to attacks.
Here are a few security tips that may be useful to you.
• File Size – Have some limit in uploaded file sizes
• Always Check content type & and also check against list of allowed file types
• Never store files with user supplied files names. Always generate a unique file name, by appending Unique, non guessable ID’s, timestamps, random numbers etc.
• Make sure anti virus (with up to date signatures) is installed and enabled for monitoring of incoming & outgoing files
• As industry practice uploaded foldern files should not be a part of your source directory
• Access to uploaded file share should be given on need to know basis
If you spend considerable time in reformatting your find in files results, then this tip is might helpful for you. As an security analyst I always required to report a security issue with directoryname, file name , line number and code snippet. But default find in files results window will provide filename & code text and that to in single line.
To change default settings & to display results in multiple lines, you can use the following registry setting.
1. Go to HKCU\Software\Microsoft\VisualStudio\8.0\Find
2. Add a new string called Find result format with a value of Directory : $d\nFile name : $f$e\nLine #: $l\nCode:$t\r\n where
$d is directory name
$f is the filename
$e is the extension
$l is the line
$t is the text on the line
Note: You don’t have to restart Visual Studio to pick up on your registry changes.
Full list of items you can specify in the registry can be found here.
Today in Honeywell, I was awarded with Six Sigma Plus Green Belt certificate. This certificate acknowledges the technical expertise and application experience necessary to effectively achieve Six Sigma Quality.
For more details click here.
Case 1 :
When NASA began the launch of astronauts into space, they found out that the pens wouldn't work at zero gravity (ink won't flow down to the writing surface). To solve this problem, it took them one decade and $12 million. They developed a pen that worked at zero gravity, upside down, underwater, in practically any surface including crystal and in a temperature range from below freezing to over 300 degrees C. And what did the Russians do...?? They used a pencil.
Case 2 :
One of the most memorable case studies on Japanese management was the case of the empty soapbox, which happened in one of Japan's biggest cosmetics companies. The company received a complaint that a consumer had bought a soapbox that was empty. Immediately the authorities isolated the problem to the assembly line, which transported all the packaged boxes of soap to the delivery department. For some reason, one soapbox went through the assembly line empty. Management asked its engineers to solve the problem. Post-haste, the engineers worked hard to devise an X-ray machine with
high-resolution monitors manned by two people to watch all the soapboxes that passed through the line to make sure they were not empty. No doubt, they worked hard and they worked fast but they spent a whoopee amount to do so.
But when a rank-and-file employee in a small company was posed with the same problem, he did not get into complications of X-rays, etc., but instead came out with another solution. He bought a strong industrial electric fan and pointed it at the assembly line. He switched the fan on, and as each soapbox passed the fan, it simply blew the empty boxes out of the line.
The above 2 cases might be good examples for Root Cause Analysis(Find & remediate the root cause instead of addressing the symptoms)
Business rules in client web pages(away from data)
==================================
-
Developers tend to do this. But for a change in business rule, Need to recompile and redeploy the web applications.
-
Eventually, If you expose data through web service your application cannot make sure who is going to access which data, because web service consuming application will write their own set of business rules.
-
Data is in your hand but business rules are not in your control, every other consuming application will implement their own rules.
-
Managing/Maintaining business rules across different applications is difficult.
-
Change in business rule needs to be replicated in all the consuming applications.
Business rules in back end stored procedures(along with data)
============================================
-
Simple to include a change in business rule.
-
No need to recompile.
-
If you expose data through web service, your application can make decisions who is going to access which data, not the consuming application.
-
Data as well as business rules are in your control.
-
Change in business rule needs a change at one place.
The above said points are valid & true for authorization rules and security rules also.
Please comment if you have any other thoughts.
More Posts
Next page »