Saturday, October 6, 2007

Preventation is better than Cure

With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.

Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.

Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
process.

QA Development: Experienced staff must perform periodic
security as well as usability reviews.

Stay up-to-date on patches and configured securely.

Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.

Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.

The Hacka Man

1 comment:

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.