Amen!/.'s street cred drops every time I see these rushed headlines dripping with bias in a vain attempt to prove everything that is Microsoft is wrong and Linux is going to take over the world any day now.
Come on! Be objective, and chill out with this self righteous my OS is bigger than yours bullshit.
I was thinking more of their AppShield product, it sits infront of the web server and stops the hacks there. AppScan is cool since it's the first application focused scanner, but I've always been a fan of an active solution.
I agree you, you need to hire good coders. But I have seem some of the best make the worst mistakes. With the time to market demands slaming them in the face everyday, the chances that they will make a mistake increces. Good coders minimize the risk, but they can't eliminate it.
Perhaps the coolest thing about AppShield is that it is not based on pattern files that you need to keep updated, it just figures out your web app by parsing the HTML and then blocks all the rest. How many things out there can protect against unknow hacks? According to their web site this thing is protecting the Israeli goverment!
Damn I sound like an advertisment, but technology like this is going to be the only thing that can save online banking and e-commerce from a hacking arms race that is out of control.
I see all this talk about 128 bit SSL, the best IDS, the best firewall, etc... All Worthless against a good Application hack. Take a study by the ICSA, "Out of 5000 hacks, 2/3 were at the application layer"! Hell, take a study of all the financial sites out there to have gotten hacked. Go further and look at all the high profile sites that have been hacked recently and you will see one thing in common - the hack targeted the web app. No network security device can prevent a web application layer attack.
Just spent a fortune on that cool network IDS system? Great, well guess what, SSL renders it useless because you can't watch encrypted traffic! So now the hacker is hacking securely as they come right through your firewall on port 443 and just mucks with your web site while you have no clue what's happening.
It's an accepted fact that all code has bugs, your web site is based on code, it has bugs, and it's only a matter of time until the hacker finds a way to exploit them, and most of the time you won't even know.
The problem requires a new approach, you need an web application layer IDS, and this is not entirely a easy thing to do. You have to be able to understand the application in real time and process the SSL transactions yourself, in essence you end up with a very smart (and hopefully fast) reverse proxy. There is only one company out there (www.sanctuminc.com) that's doing anything at all to solve this problem and they are worth checking out if you are really serious about locking down your web site.
Until the banking world grasps the real problems of application security, sites will continue to get hacked and defaced. Go ahead, hide behind your firewall, your SSL, your IDS, I'm going to come in, right past all of it, and rip your web application to shreds while you watch your firewall and IDS logs - and see nothing.
Did anyone else catch that 2 second sceen from the Movie DUNE in the trailer? The sceen where the Harkonens are retaking Arrakis and are bombing the walls. Look closely!
While this may go against the grain of the general consensus that feels that deep linking is something that should be fundamentally allowed, there is now software that will provide the ability to control the entry points into your web site as well as secure the entire site as well (AppShield from www.perfectotech.com). Legally, I don't believe there should be any controls in place that say what you do on the web, but if sites want to come up with a technical means to control who and how people access their site, then the more power to them. I think the point I am trying to make here is that a web site is not public property, that your access to that site is not a divine right, and that regardless of how one feels on the spirit of the web, companies do not and will not provide information to the public unless it serves in their best interest. Otherwise why would they? Give sites the power to control things like deep linking, but lets not make laws about it.
Slashdot Mirror
Amen! /.'s street cred drops every time I see these rushed headlines dripping with bias in a vain attempt to prove everything that is Microsoft is wrong and Linux is going to take over the world any day now.
Come on! Be objective, and chill out with this self righteous my OS is bigger than yours bullshit.
I was thinking more of their AppShield product, it sits infront of the web server and stops the hacks there. AppScan is cool since it's the first application focused scanner, but I've always been a fan of an active solution.
I agree you, you need to hire good coders. But I have seem some of the best make the worst mistakes. With the time to market demands slaming them in the face everyday, the chances that they will make a mistake increces. Good coders minimize the risk, but they can't eliminate it. Perhaps the coolest thing about AppShield is that it is not based on pattern files that you need to keep updated, it just figures out your web app by parsing the HTML and then blocks all the rest. How many things out there can protect against unknow hacks? According to their web site this thing is protecting the Israeli goverment!
Damn I sound like an advertisment, but technology like this is going to be the only thing that can save online banking and e-commerce from a hacking arms race that is out of control.
I see all this talk about 128 bit SSL, the best IDS, the best firewall, etc... All Worthless against a good Application hack. Take a study by the ICSA, "Out of 5000 hacks, 2/3 were at the application layer"! Hell, take a study of all the financial sites out there to have gotten hacked. Go further and look at all the high profile sites that have been hacked recently and you will see one thing in common - the hack targeted the web app. No network security device can prevent a web application layer attack.
Just spent a fortune on that cool network IDS system? Great, well guess what, SSL renders it useless because you can't watch encrypted traffic! So now the hacker is hacking securely as they come right through your firewall on port 443 and just mucks with your web site while you have no clue what's happening.
It's an accepted fact that all code has bugs, your web site is based on code, it has bugs, and it's only a matter of time until the hacker finds a way to exploit them, and most of the time you won't even know.
The problem requires a new approach, you need an web application layer IDS, and this is not entirely a easy thing to do. You have to be able to understand the application in real time and process the SSL transactions yourself, in essence you end up with a very smart (and hopefully fast) reverse proxy. There is only one company out there (www.sanctuminc.com) that's doing anything at all to solve this problem and they are worth checking out if you are really serious about locking down your web site.
Until the banking world grasps the real problems of application security, sites will continue to get hacked and defaced. Go ahead, hide behind your firewall, your SSL, your IDS, I'm going to come in, right past all of it, and rip your web application to shreds while you watch your firewall and IDS logs - and see nothing.
Did anyone else catch that 2 second sceen from the Movie DUNE in the trailer? The sceen where the Harkonens are retaking Arrakis and are bombing the walls. Look closely!
While this may go against the grain of the general consensus that feels that deep linking is something that should be fundamentally allowed, there is now software that will provide the ability to control the entry points into your web site as well as secure the entire site as well (AppShield from www.perfectotech.com). Legally, I don't believe there should be any controls in place that say what you do on the web, but if sites want to come up with a technical means to control who and how people access their site, then the more power to them. I think the point I am trying to make here is that a web site is not public property, that your access to that site is not a divine right, and that regardless of how one feels on the spirit of the web, companies do not and will not provide information to the public unless it serves in their best interest. Otherwise why would they? Give sites the power to control things like deep linking, but lets not make laws about it.