Thursday, June 18, 2009

Looking for better solution(s)

It's been 5 years that I have been looking over Application Security issues. It makes me wonder when I find myself and many others still looking out for some unsolved or better security solutions. Certain issues where we have broken our heads to get a solution, but at the end it hasn't been "enough" secure.

I thought it might be interesting to post my list of such issues for others to see things and get opinions on the same.

Still Looking for better (Secure) solutions for following points:
1. Implementing a strong Key Management solution for PCI Compliance. Customers trust products which can help achieve this compliance, however do not trust the bespoke implementation. I strive to get this done !!

2. Develop a better CAPTCHA mechanism to defend robots. A believe a real world user hates the current image version displayed. It has to be simple and secure.

3. Get the NAT'ed IP address of the user using HTML or Javascript.

4. Strong solution to prevent users from getting on to fake sites (Phishing) without much of user education.

5. Developing an Effective and Manageable Web Application Firewall which can be at least a bronze bullet (if not a silver bullet) for Web Security. :)

6. Designing security for social networking sites where a feature could be exploited to be a flaw.

5 comments:

  1. Laurence BrennanJune 18, 2009 10:51 AM

    Very true Dharmesh. We still struggle to find out "better" solutions that can give us sound sleep in night thinking the systems are secure or if something happens, we have damage control.

    I think most of issues in your list are in mine too. I also think Data Privacy as one of the issues which is "unsolved"

    ReplyDelete
  2. Nice to see your post on this issue and after long time.

    I too agree with Laurence...your list may be something everyone in the industry should try getting a 'betteR' solution for...

    ReplyDelete
  3. 1. Take a look at StrongKey (www.strongkey.org) the industry's first open-source enterprise Symmetric Key Management System - it offers far more than you're likely to need;

    2. As long as applications use UserID/Passwords for security, do not hope for security - see why (Identity Protection Factor http://middleware.internet2.edu/idtrust/2008/papers/01-noor-ipf.pdf);

    3. What purpose does a NAT'ed IP address serve to the web-application? Most NAT'ed addresses are non-routable RFC-1918 addresses;

    4. "You give a man a fish, and he eats for a day; you teach him to fish and he eats for a lifetime". Without recurrent education, do not hope for secure solutions.

    5. Design and build security into the application and you won't need a firewall;

    6. See #5.

    ReplyDelete
  4. @Arshad...

    I think the point Dharmesh is making is that we still are trying to find a more better solution to his points. Agreed the things u have mentioned are solutions...however not widely accepted ones...

    ReplyDelete
  5. @Point 5: I think we are yet to find a good solution for Phishing...

    @Arshad... Teaching users is not what u accept for providing them with security...We need to understand that users can be anyone...right from non-educated to security savvy like us..

    ReplyDelete