Applications and security consideration

zillah2004

I am working with online institute, the developer team has got different applications which are based on the following technologies:

All are web based applications
Build either on .NET framework 1.1 or .NET Framework 2.0
SQL server as a database at the backend
None of them are active directory enabled.



My role is security Admin (not developer) What security consideration I have to take in consideration for these applications ?

Static M.e.

Zillah2004

My role is security Admin (not developer) What security consideration I have to take in consideration for these applications ?

Not meaning to state the obvious, but shouldn't you know this stuff if your the Security Admin!

Anyway from what I've been told you should look out for SQL injection attacks, also you might want to consider what ever you plan on hosting the web applications because these will of course also be targets IIS/Apache etc.

zillah2004

Not meaning to state the obvious, but shouldn't you know this stuff if your the Security Admin!

Sorry, I should have mentoned that my role involve in cisco security area more than application area.

NutJob

Heres RSS feeds that cover security and various security related topics.

Not meaning to sound all Delphi oracle but.

If you read them they should help

But its only a start

zillah2004

I have seen code with your attachment ?

You meant to say that I have to go through the code ?

Thanks

NutJob

Import it into an RSS reader and ull have a list of research sites and other misc security related sites.

(Assuming ur a windows user)
http://www.sharpreader.net/
Or
http://www.rssbandit.org/
Or
Rss reader of choice

Should do it nicely

I know in at least one of these feeds (i think podcast), covered policies were suggested for development teams but im damned if i can figure out where and when. But there's plenty in there worth reading and it should give you a start point.

Cake Fiend

Static M.e. wrote:

Anyway from what I've been told you should look out for SQL injection attacks

Agreed, but that should really be taken care of already by the developers. Anyone developing something like that who isn't up to speed on SQL injection attacks by now deserves a good clip around the ear IMO!

Zilla, I'm not sure what you'd need to think about in particular with these applications, but general things you should consider are:

Who needs to access the application-hosting servers and where from?
If they're accessing from an untrustworthy network, how can you make it as secure as possible?
What about auditing - how will you keep track of what traffic passes in (and out) of this network?
More importantly, will you be able to track if someone bypasses your protection?

zillah2004

If they're accessing from an untrustworthy network, how can you make it as secure as possible?

Yes, I am accessing from internet

What about auditing - how will you keep track of what traffic passes in (and out) of this network?

Do you mean I have to realy on some software for audting ?

ecksor

SQL injection, and protection against many other forms of attacks, are certainly development issues but this may not be the impression of whoever has set the original poster the task of monitoring the security of the application. The development team's ability to do this might be excellent, adequate or actually poor and we have no way of telling. One thing that is sure though is that they will rate themselves as at least adequate and not take kindly to any suggestion to the contrary.

Guiding a development team in such matters is tricky in my experience, but a start would be to provide some useful pointers such as the OWASP site. If your guys can give a decent answer to "How are you preventing the application from having this flaw?" for each of the OWASP top ten ( http://www.owasp.org/index.php/OWASP_Top_Ten_Project ) then you'll get a good idea of where you stand.

This is extremely simplistic advice, but it achieves or potentially achieves a few things:

1. It raises awareness of security issues.
2. It starts to examine the development process for its suitability for dealing with such issues, which can lead to improvement.
3. It provides a way for you, as a non-development person, to interact with the development team about security. This is quite important, because if you try to prescribe or direct their efforts then you'll probably hop off of a brick wall and achieve nothing but a working environment headache.

Static M.e.

zillah2004

Just a thought (See Shad0rs post in this forum). It would probably help you a lot if you went to the seminar. I attended another Mile2 one before and it was great, very informative but you could try and get speaking to the PenTester\trainer afterwards Im quite sure he could give you some great tips from a Pen Tester viewpoint...