« Scrub yer blogs | Main | Konfabulator goes Flash »
November 28, 2007
Security 2008
Security 2008: Important shift in this annual SANS report... the "top new risk" they've identified: "Critical vulnerabilities in Web applications enabling the Web site to be poisoned, the data behind the Web site to be stolen, and other computers connected to the Web site to be compromised." Their recommendations include normal firewalls and testing, but also "a formal policy that all important Web applications will be developed using a valid secure development life cycle and only by developers who have proven (through testing) that they have the skills and knowledge to write secure applications." SANS is influential, and their 2007 wrapup report is being published in London today... expect more emphasis on formal defensive measures behind the firewall during the next year, and a good chance of tighter measures on apps built from low-level scripting (PHP, eg). Key change: Security exploits continue to move up the stack, from operating systems to applications to browsers and now to serverside applications.
More notes:
I think ColdFusion is in a better position than PHP, because ColdFusion has standardized many of the lower levels of functionality than need to be explicitly rewritten for PHP, ASP etc. It's still possible to make insecure applications in ColdFusion, but there's a much smaller surface of vulnerability to support when the lower layers are standardized.
Suggestion: If you work with ColdFusion, it would be good to read up on ColdFusion security now, so that you're ready should clients come to you with new questions after hearing of the SANS report.
The second new risk they identify is credulous newbies, particularly execs or those with high-level access. That's a tricky problem to address.
The SANS report also mentions the high number of security alerts with "media players" the past year, but when you look into those exploits, the plugins were passing along requests to the browsers, which then got confused about which domain was making the request... most of the issues with QuickTime, Real, Player, Reader and so on over the past year have been browser-specific or OS-specific issues, rather than something the plugin itself does. We were very quick to add new protocols to browsers back in the 1990s, and it's only today that some of these requests are being exploited by criminal gangs.
Posted by JohnDowdell at November 28, 2007 09:20 AM
Trackback Pings
TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/9158
Comments
Hey John,
One security aspect of Flash/Flex-based RIAs that concerns me is that there is no way to let the user know that you are transferring their data securely to the back-end via HTTPS.
I feel we need to be proactive in addressing this before it gets widespread attention via a sensationalist headline on Digg.
I recently wrote a blog post that summarizes my thoughts on this, and suggests one possible solution: Building trust in Flash-based RIAs: a security feature request. I'd love to hear your thoughts on it.
[jd sez: Howdy Aral, sorry I missed that while I was out. I don't have enough depth in that area to comment reasonably, but I've passed it along, asking other folks on the team if they've got context or bounce-offs.]
Posted by: Aral Balkan at November 29, 2007 03:01 AM