Best Practices
Control Flow Myths busted in Java
by Ashish Rao in December 2011
There are many things that we assume and use in this crazy world of "programming" without analyzing the behavior of programming entities. The more complex applications we build and use, the more we can understand their behavior in terms of their execution pattern. There are a few myths or misconceptions about certain programming entities in Java, which if left unexplored, can inadvertently lead to major programming flaws in the application. We will try and decipher these myths one by one.… more →
Evolution of Authentication in Web Applications
by Sangita Pakala in October 2011
Authentication is the process of verifying the identity or authenticity of a person or an entity. Let’s go back to the time that the world was not yet introduced to computers and the internet. If a customer of a bank had to withdraw some money from the branch, how would it take place? The teller at the branch would ask the customer for a proof to confirm that he/she is the valid customer. The customer would then sign on a piece of paper, which would be compared with the signature provided by the customer at the time of opening the account. With the advent of computers, the signature was replaced by the password. The user would set a password value during registration and then provide it each time to access the account.… more →
Secret Questions – A soft target
by Ashish Kumar in June 2011
Security is not only about the product but also about the process and people. When we say ‘people’, it includes the employees of the service provider as well as the end users. Therefore, end users also need to take some responsibility and put in efforts to ensure application security. Traditionally, we have been writing articles for developers, CISOs, system and network administrators, security architects, etc. This time, however, we have written an article for the end user. People in the previously mentioned roles must be using one website or another for financial transactions, storage of personal data or transfer of sensitive information. So, in a way, this article is also meant for them.… more →
NERC CIP Standards for Bulk Electric System SCADA Networks
by Balaji V in June 2011
We discussed the security in a SCADA network in previous articles. In this article, we are going to look at some of the compliance requirements for SCADA networks, specifically focusing on NERC CIP standards. This is one of the concerning factors for all utility companies running SCADA systems as they would have to potentially comply with multiple regulatory requirements, industry standards, guidelines, and best practices. But there is no clarity on exactly what standard needs to be followed.… more →
Watchful File Upload
by Ashish Rao in April 2011
A file upload is a feature of a web application, which throws open the doorways of the entire file system of the server to end users. What more would an attacker want anyway! Applications that store the uploaded files on the server without any validation put their servers at a huge risk of being compromised. Files like harmful executables can cause considerable damage to the servers. However, it also depends on the way the uploaded files are being handled by the applications.… more →
Implementing a Secure Forgot Password Solution
by Harshvardhan Parmar in April 2011
In the last article, we observed some of the common flaws in the implementation of the Forgot Password feature. This time we will take a look at one of the most common implementations of Forgot Password feature that we have seen in various banks and a drawback to this implementation that might very well be called as a chink in an otherwise impenetrable armor. We will also take a look at how we can implement a Forgot Password feature that addresses all possible threats.… more →
Common Flaws in Forgot Password Implementation
by Harshvardhan Parmar in December 2010
As awareness about information security is increasing, application owners are taking measures to safeguard their applications. But even with a single vulnerability present, an attacker might be able to gain control of the application. A lot of attention is given to securing the authentication mechanism for an application as post-login data is deemed confidential and important. However, sometimes a seemingly harmless feature on a public page might render all the prevention and security mechanisms useless. The ‘Forgot Password’ feature is one such feature, which can be misused to compromise user accounts.… more →
Firewall Rulebase Cleanup - A manual approach
by Ajish T John in October 2010
The KISS (keep it short and simple) concept rarely works for firewalls due to multi-admin-managed environments and the increase of network-dependent applications. Eventually, the firewall rules increase in number resulting in redundant/shadowed rules, longer troubleshooting time, degraded performance and very often, hidden threats. Hence, to deter the above-mentioned disadvantages, a well-maintained rulebase on Enterprise firewalls is highly desirable.… more →
Cookie Attributes and their Importance
by Harshvardhan Parmar in October 2010
Cookies are pieces of information stored on the client side, which are sent to the server with every request made by the client. Cookies are primarily used for authentication and maintaining sessions. Hence, securing a cookie effectively means securing a user’s identity. Cookies can be secured by properly setting cookie attributes. These attributes are:… more →
Thinking Beyond Security Assessments
by Kumar Manivel in August 2010
Security assessments have been performed for my entire infrastructure and applications, what else? Most of the time, we see that customers feel completely safe after a security assessment of their infrastructure. However, this should not be the case, because factors such as frequent changes in organization infrastructure, various patch releases from software and hardware vendors, new (untrained) employees, and new security threats, will lead to security breach. Security is not a product but a process.… more →
Why Static Analysis?
by Vivek Shetti in August 2010
XYZ organization had their critical financial application tested by an information security company. The tests found that the application had adequate security controls in place for protection against hackers. Even the web server on which the application was hosted was well-protected. A week later, the application was hacked and important financial details were compromised. On analysis, it was found that the attacker gained entry into the application through a backdoor that allowed him to access the application as a high-privileged user.… more →
Secure coding techniques in ASP.NET - Part 2
by Jaideep Jha in April 2010
In continuation of the secure coding techniques in ASP.NET series we will be talking about another programmatic implementation of the anti-CSRF token, and protection against session fixation attacks.… more →
An Attack Response Model for a Network Compromise
by Sudhindhar J in February 2010
An Incident, in the context of this article can be defined as an adverse event that endangers the security of computing systems or networks. Examples of incidents could include activities such as repeated attempts to gain unauthorized access to a system or its data, unwanted disruption or denial of service, changing system Hardware or Software characteristics without the owner’s knowledge or consent.… more →
Top 5 Secure Coding Tips for PHP applications
by Reena Agarwal in December 2009
In this article, we will be looking at the top 5 best practices to develop secure code in PHP. These include filtering of input data to eliminate unexpected input, securing database queries using parameterization, filtering of output data, error handling through custom errors and preventing other forms of injection attacks.… more →
Secure coding techniques in ASP.NET - Part 1
by Siddharth Anbalahan in December 2009
A number of applications today are developed with a web interface, and if the Operating System in use is Microsoft Windows then ASP.NET seems to be the ideal choice. Microsoft has taken great initiative in ensuring the ASP.NET framework has some built-in security features that help programmers to develop secure web applications. In this 3 part series, we will be talking about the different components of ASP.NET that programmers can leverage to develop secure web applications.… more →
Best Practices for Protecting Banking Sites
by Terence Cornelius in August 2009
The scale of the global criminal operation on the internet has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds - 24 hours a day, 365 days a year. With statistics like that it is highly possible that at least one of your bank’s websites is already a victim. At least you should be wondering about the security of your websites very seriously. Nowadays, defaced banking websites or fraudulent sites posing as your website aren’t the only worry. Even your actual production website can be dangerous if hackers can get their hooks into it.… more →
Securing PHP using Hardening Patch and Suhosin
by Avinaash Acharya in June 2009
The National Vulnerability Database shows that 953 vulnerabilities were discovered in PHP during the first quarter of 2009. Most of the PHP vulnerabilities can be exploited remotely. Threats to database and web servers linked to PHP applications are high since PHP programs are executed dynamically on the server side. So when it comes to PHP Security, ignorance is definitely not blissful. There are several methods to secure PHP. We discuss the use of hardening patches and its extensions in this article.… more →
Meeting compliance requirements through application & network penetration tests and code reviews
by Rajesh Gopinath in April 2009
In our February issue “Measuring the Value of Remote Application Security Testing” Paresh talked about the value of remote application security testing and specifically what our clients look for in a remote application security test. One of the points that came up in the article was regulatory requirements. This was expected. Organizations are now forced to follow high standards to protect customer data. While regulations such Sarbanes Oxley, GLBA and FISMA don’t clearly state that application and network and penetration tests and code reviews are required, it’s obvious that there is a strong emphasis on regular testing in one form or the other. With PCI DSS becoming mandatory for organizations handling payment card holder data, organizations now have to perform regular network and application penetration testing. Let’s look at some of the regulations and standards and their stance on penetration testing and code reviews. … more →
Selecting Application Security Vendors – Part II
by Sachin Varghese in February 2009
In March 2005, Jose Varghese outlined the best practices for selecting application security vendors in Palisade. That article gave pointers to mid size and large enterprises who are leveraging external application expertise or intending to leverage external resources. Fours year later, we review the themes in that article. Have those criteria changed over these years when application security has moved from back-stage to center-stage? As we reviewed the criteria, we observed that the core principles Jose laid out in 2005 still hold true.… more →
SAP Baseline Security Audit
by Rajesh Gopinath in October 2008
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit program and is ideal for generating a quick win early. This article outlines the areas covered under the SAP Baseline Security Audit we perform.… more →
The Payment Application Data Security Standard (PA DSS)
by Sangita Pakala in July 2008
PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard. Remember that the biggies of the credit card industry put their heads together and came up with Payment Card Industry Data Security Standard (PCI DSS). Their aim was to protect the “Cardholder’s” data. PCI DSS was first released in 2005 and then revised in October 2006. PCI DSS has a few requirements that talk about securing web applications that deal with cardholder’s data.… more →
Mobile Banking - Threats and Mitigation
by Suraj Sankaran in June 2008
In my previous article, I had explained the two common mobile banking architectures and exchange of information using one of the architectures. In this article, I’ll be explaining the threats observed and an ideal process to overcome these threats. The explanation would be based on the information exchange for the architecture discussed in my previous article. Each phase has the threats mentioned and a secure process to ensure these threats are mitigated.… more →
Phishing Questions
by Roshen Chandran in November 2006
Our series of articles on Phishing - Protection , Detection , and Incident Response evoked several questions. In this issue, we answer three of the most interesting questions we came across. Please keep the questions flowing, thank you!… more →
5 Tips for Securing Software as a Service
by Roshen Chandran in October 2006
Field notes on how best to secure “Software as a Service”(SaaS). We ran into 12 SaaS apps last quarter - we were asked to test them. Here’re our field notes from those assignments, our favorite security tips to SaaS developers:… more →
Securely Webifying Applications
by Roshen Chandran in October 2006
We see a recurring pattern of security errors when organizations migrate their legacy applications to the web. This Executive Briefing documents the most common security mistakes we have seen in the last 5 years.… more →
Securing IIS Web Servers
by Siddharth Anbalahan in September 2006
In our previous article we showed how to securely deploy one of the most popular web servers, i.e. Apache web server. In this article we cover how we can secure the IIS 6.0 web server. Microsoft’s initiative towards security, Trustworthy Computing, is based on four pillars as defined by Microsoft:… more →
Are Complex Passwords Really Necessary?
by Roshen Chandran in August 2006
Why it’s silly to enforce passwords like “2@$Rw0rd~” in web applications. Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.… more →
Securing Apache Web Servers
by Siddharth Anbalahan in July 2006
According to Dr. Johannes Ullrich, CTO of the SANS Institute’s Internet Storm Center, "web application attacks account for a significant portion of hacking activities across the Internet." Securing web servers is an important step towards preventing some of the most common application layer attacks. Netcraft Web Server Survey, June 2006 recorded that Apache is the leading web server in the market with a market share of 61.25%. In this first part of the two part series, we will look at some of the general secure configuration settings of Apache web server.… more →
Thick Client Application Security - Defenses
by Balaji V in May 2006
In the first article in this series, we saw the various attacks on two-tier thick client applications. This part will discuss about the defense mechanisms available to tackle those attacks.… more →
Pharming on the Net
by Nilesh Chaudhari in March 2006
You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. Pharming is phishing on steroids.… more →
Implementing Password Recovery
by Deepu Thomas Philip in January 2006
Password recovery is a process which becomes necessary when a genuine application user is unable to authenticate due to lost or forgotten passwords. We look at the various challenges in a secure password recovery implementation.… more →
Interviewing software developers
by Shaheem Motlekar in November 2005
When do you get secure software? When your developers know how to write secure software. That is a no-brainer; yet how often have you quizzed your developers on application security while recruiting them? We present some questions to ask in your next interview in this article… more →
Encrypting data in Databases
by Priyali Vibhute in June 2005
Organizations take a lot of steps to protect their confidential data. Almost all security measures including encryption are considered only while transferring information on the wire not while storing it in the database. More often than not, it is stored as clear text in the database. In this article we see how database encrytion can enhance the security of our data. … more →
Selecting Application Security Vendors
by Jose Varghese in March 2005
Traditional security has always been focused on perimeter defense. With most of the organizations having strengthened their perimeters with Firewall, VPN and intrusion detection systems, attackers have shifted their focus to the application layer. Most of these attacks are far more damaging that network layer attacks and primarily focus on the weaknesses in the application like poor input validation; insecure sessions management etc. For effective security, it is important for the enterprise to ensure that all business applications are tested for security as rigorously as they are tested for functionality and performance before they are deployed in production… more →
Best Practices in Input Validation
in December 2004
Last week, I polled our consultants on the most common software security errors they saw in 2004. Consultants from across our offices pointed out how simple input validation errors continue to be the #1 problem they see daily. This is really not a new problem; it’s just been a difficult one. I asked them for their list of best practices for validating inputs the top 10 recommendations they have been making to clients on input validation. Here’s the list they came up with… more →
Catch'em Young - How to discover vulnerabilities early
by Roshen Chandran in November 2004
Bugs are introduced at every stage in the development lifecycle. Some of them are caught quickly in the same stage itself. However, many are caught only much later. Here’re the systems we find to be most effective to address security bugs… more →
Application Logs - Security Best Practices
by Dipesh Rawal in October 2004
Security logs capture the security-related events within an application. They help detect security violations and flaws in application, and help re-construct user activities for forensic analysis. Short listing the events to log and the level of detail are key challenges in designing the logging system. This article simplifies the selection by presenting the options that many critical applications chose… more →
Controls for Outsourcing Software Development
by Giridhar T M in October 2004
When you outsource software development, how do you ensure that security has been adequately addressed by the vendor? In this article we look at the controls that you need to be put in place over the vendor regarding the various stages of the development lifecycle… more →
Training your Developers
by Shaheem Motlekar in September 2004
The most effective way to secure applications is by writing them securely; and the best way to achieve this is by training your development team to write safer applications. This article presents the key components of a security program for your development team… more →
Security at Software Requirements Specification
by Roshen Chandran in August 2004
Applications designed with security in mind are safer than those here security is an afterthought. Traditionally security issues are first considered during the Design phase of the Software Development Life Cycle (SDLC) once the Software Requirements Specification (SRS) has been frozen. That’s one stage too late.… more →
Authentication - Security Best Practices
by Roshen Chandran in July 2004
Authentication modules are the most exploited pieces in a web application. We look at ten good practices that ensure your authentication system is safe against an attack… more →