Return-Path: <sentto-279987-4510-1014532163-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 23 Feb 2002 22:28:07 -0800 (PST) Received: (qmail 17202 invoked by uid 510); 24 Feb 2002 06:29:23 -0000 Received: from n34.groups.yahoo.com (216.115.96.84) by all.net with SMTP; 24 Feb 2002 06:29:23 -0000 X-eGroups-Return: sentto-279987-4510-1014532163-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.163] by n34.groups.yahoo.com with NNFMP; 24 Feb 2002 06:29:23 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: unknown); 24 Feb 2002 06:29:22 -0000 Received: (qmail 29361 invoked from network); 24 Feb 2002 06:29:22 -0000 Received: from unknown (216.115.97.167) by m9.grp.snv.yahoo.com with QMQP; 24 Feb 2002 06:29:22 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.snv.yahoo.com with SMTP; 24 Feb 2002 06:29:22 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1O6RPk13644 for iwar@onelist.com; Sat, 23 Feb 2002 22:27:25 -0800 Message-Id: <200202240627.g1O6RPk13644@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 23 Feb 2002 22:27:25 -0800 (PST) Subject: [iwar] [fc:Application.security.'in.a.grim.state'] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Application security 'in a grim state' By James Middleton, Vnunet, 2/19/02 <a href="http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1129340">http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1129340> Application security is "in a grim state", according to new research. Almost half of application security vulnerabilities are readily exploitable through entirely preventable defects. The typical ebusiness application is at serious risk of compromise because of security flaws introduced early in the design cycle, but these risks could easily be reduced by as much as 80 per cent, according to security firm @stake. While analysing 45 popular ebusiness applications, @stake found a "grim" level of security and noted that not all applications are created equal. The research found that "the best designed applications have one quarter as many security defects as the worst. As a result, these applications carry 80 per cent less business-adjusted risk than the least secure." When contrasting the performers with regards to security, the six areas that differentiated the top performers from the bottom ones are: early design focus on user authentication and authorisation; mistrust of user input; end-to-end session encryption; safe data handling; elimination of administrator backdoors and default settings; and security quality assurance. Dan Geer, @stake's chief technical officer, said: "Our research shows that the primary difference between the top and bottom performers is due to superior practices in designing, coding and deploying secure applications." The company discovered that 47 per cent of applications suffer from readily exploitable security flaws that fall into nine common classes. These are weaknesses in administrative interfaces; authentication/access control; configuration management; cryptographic algorithms; information gathering; input validation; parameter manipulation; sensitive data handling; and session management. The most common application security mistake is a lack of adequate authentication and access control. According to the firm, user session security remains the Achilles heel of most ebusiness applications because user input is trusted implicitly or relies on client-side validation, rather than having the server itself check for inappropriate data. "Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director at @stake. Application security 'in a grim state' ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Secure all your Web servers now - with a proven 5-part strategy. The FREE Server Security Guide shows you how. http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST