Issue dated - 22nd March 2004

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
NEWS ANALYSIS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
Openings At Jobstreet.com
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

Tech Forum

Security Tips and Guidelines - III

Tip 10. Application development

Well. This is not just a tip. But it is a very important change in the way we think about application development.

Most of us design applications to achieve some business related purpose. Which is fine. However, the security aspects of applications are thought of only after the application is built and is running. Security is always an afterthought. Which is where the problem lies. We are often completely unaware of how applications can open up serious security vulnerabilities.

The bottomline is that applications should be designed with security in mind. Security should not be plugged in later on an ad-hoc basis. Now, what does one do about existing applications which were not written with the security angle in mind?

We need to thoroughly audit these applications and find out lacunae. This has to be done proactively. Do not wait hoping that nobody will ever find the vulnerability in your application.

The worst part of security breaches is that they are often completely unnoticed. For example, if some hacker has modified the URL parameters and has gathered the complete customer or pricing or transaction database by firing a ‘select *’ query, you will never even notice it! The hacker does not need to do this everyday. Even one run of the query is enough for revealing a lot of trade secrets.

Technically the hacker could have deleted the entire table (and performed many other destructive things). But a professional hacker who is interested in corporate spying would not do such a stupid thing. This way, the security breach would be noticed and some measure will be taken. It is much simpler for the hacker to quietly continue taking advantage of the vulnerability!

So from an application perspective, what do we do?

There is an excellent online content which provides a very good coverage of this topic. I urge every application developer and architect to read this and implement it for existing as well as future applications.

This is an online book titled: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication.

There is another great book with more in-depth coverage (intended to be read after the first book is learnt): Improving Web Application Security: Threats and Countermeasures

Remember, the application level vulnerabilities are much more dangerous than all the OS or browser level problems ever noticed and documented!

To give you an idea of how serious these threats are, I am reproducing a summary table which lists the various types of threats and the origin of the vulnerability from an application design perspective.

As you can see, there are too many possible problems. Did you know the list was so long and complex? Now refer to the the full guide on the website and use it to make resilient applications.

Tip 11. Personal firewalls

There are many personal firewalls available. Windows XP contains a built-in one. Even when you are using machines in a stand-alone mode, it is important to utilise a firewall. Laptops, top management machines, home PCs which directly get exposed to the Web require a personal firewall.

Nowadays, the incidents of internal espionage have also increased. Therefore, it is important to consider the possibility of enabling it even in an intranet scenario.

Personal firewalls may marginally reduce the freedom of working on the PC but it is a necessity. Ensure that a knowledgeable person configures it, otherwise regular work itself may be blocked by it.

Tip 12. Check for spyware

This is a new category that has come up. Spyware (also known as adware) usually signifies programs that typically load as a bundled hidden component of freeware and shareware programs downloaded from the Internet. Largely used for advertising purposes by hijacking the Web browser, they secretly use up computer resources, and gather and send user information to somebody else, although the more malicious variety can even potentially monitor keystrokes, track email information and potentially even passwords and credit card information, etc.

Most of us have a false sense of security when we install the latest OS patches and latest antivirus updates. Often we feel that these programs too are cleaned up by anti-virus software. But it is not always so.

There are a number of good (and free) tools that help you eliminate spyware from your machine. Among the more popular and effective ones are

‘Ad-aware’(http://lavasoft.element5.com/software/ adaware) and Spybot (www.spybot.info).

As careful as I am, to my surprise and scare, I found 15 such spyware programs running on my regular machine! Many of these spyware components were DLLs maliciously registered as valid programs or tracking cookies and so on. Of course the tool cleaned these up. But then it is another additional thing we need to keep doing this at regular intervals.

Beware. Get your machine scanned for these.

Tip 13. Service packs are better than patches

We all feel that patches must be applied with a higher sense of urgency. This is true. But we do not feel the same towards service packs. I have observed that many companies do not apply service packs at all. They just keep applying patches.

This is not the right practice.

If a service pack and a patch was released on the same day, I would go for the service pack, not the patch.

To understand why service packs are important, consider the following:

  • Service packs are planned releases. Patches are ad-hoc and created in a hurry.
  • Service packs are tested like the original product itself. Patches do not have that much time to be tested because these are created to plug some security vulnerability.
  • Service packs are cumulative. Applying service pack 4 directly is same as having applied service packs 1 , 2 , 3 and then 4. Patches are independent isolated entities. So they can not be cumulative.
  • Service packs contain the patches released till the cut off date. Therefore, applying one service pack will eliminate the need to apply many patches or hotfixes.
  • Service packs are produced to manage security vulnerabilities as well as other bugs. In addition, service packs also add some new features to the product.
  • Service packs must be applied when they are available. The only thing you would want to do is to try these on a test setup and then roll it out on the production one. However, patches are not mandatory. Each patch has a bulletin associated with it. You have to check the way in which the vulnerability affects IT systems. If your system is not made vulnerable by this issue, you do not have to apply the patch.

About the Author:Dr Nitin Paranjape is the Chairman and MD of Maestros (Mediline). He is a consultant with many organisations, covering appropriate technology utilisation, business application of relevant technology, application architecture and audit as well as knowledge transfer. He has authored more than 650 articles on various technology-related subjects. He can be contacted at nitin@mediline.co.in

 
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.