Friday, October 20, 2006

Design Considerations for Security

1. Do not trust on Client-User Input. Security decisions should not rely on client-side validations; they are made on the server side

2. Identify application to fail gracefully. An approach to exception management should be such that does not reveal any internal software information.

3. Partition the application into public accessible and restricted areas. Isolate higher privileged sections of the application.

4. Granular authorization check for pages and directories.

5. Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security

6. Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores

Thursday, October 12, 2006

Firefox popups

Firefox popups

Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see occasional popups.

It turns out that some clever people figured out that you could launch popups from Flash, getting around the Firefox default settings.

Fortunately, you can get around it:

1. Type about:config into the Firefox location bar.
2. Right-click on the page and select New and then Integer.
3. Name it privacy.popups.disable_from_plugins
4. Set the value to 2.

The possible values are:

* 0: Allow all popups from plugins.
* 1: Allow popups, but limit them to dom.popup_maximum.
* 2: Block popups from plugins.
* 3: Block popups from plugins, even on whitelisted sites.

Perspective of Performance and Security in IT

Performance and security are like brothers in IT. They are similar and yet they fight each other at times.

Both performance and security are important inherent qualities in IT systems. Who would not want a fast and secured IT system? You want your home computer to be fast and secured. The bank CEO wants his Internet banking system to be fast and secured for his customers.

This was a very nice article on ACE Team Blog. If you wish to read more...

Here it is:

The Oracle Global Product Security Blog

Have you ever seen this?

The Oracle Global Product Security Blog

Oracle getting committed on security by providing rating to vulnerabilities at the security blog...:)

Security researchers have criticized Oracle in the past for the time the company has taken to fix vulnerabilities.

In July 2005, security experts at Red Database Security outed six flaws, claiming that the company had more than 650 days to fix the security issues.

Peter Finnigan, who first noted the change in policy has provided a great list of tools for auditing and testing oracle databases. If you get a chance, do visit his site at :

Developing More-Secure Microsoft® ASP.NET 2.0 Applications Now Available

A new book in the Secure Software Development Series, this time from Dominick Baier is now available from Microsoft Press.

It covers ASP.NET 2.0 security features as well as security defenses and design and coding best practices. There’s also a chapter on the not-so-well-understood aspect of building and deploying least-privilege and partial trust ASP.NET 2.0 applications. This is a must-read chapter for Web site hosters.

You can get more info about the book here.

Monday, October 09, 2006

Spoofing threats are usually associated with a wily hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security.

Tampering with data involves the malicious modification of system or user data with or without detection.

Repudiation threats are associated with users—malicious or otherwise—who can deny performing an action without administrators having any way to prove otherwise. An example of a reputability threat is a user performing an illegal operation in a system that lacks the ability to trace such operations.

Information disclosure threats involve the compromising of private or business-critical information through the exposure of that information to individuals who are not supposed to see it.

Denial of service (DoS) threats when carried out deny service to valid users—for example, by making the system temporarily unavailable or unusable or by forcing a reboot or restart of the user’s machine.

Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.