Security Reference Guide

Summary

Created May 23, 2003.

This short discussion on web application security should have left you with a sinking feeling in your stomach. How many times have you sent unencrypted passwords across the network or set up a server without paying attention to the many updates or patches that followed its initial release? If this article enlightened you at all to the dangers of operating online, then it has served its purpose.

While this part of the InformIT Security Reference Guide touched on many security threats that an application must be protected against, it really only scratched the surface of application security. There are many other ways in which each type of attack can be exploited. And, in addition to existing methods, attackers are finding new vulnerabilities every day that redefine protection techniques. Fortunately, the software industry is starting to understand the significance that insecure code can have on their business. Microsoft's Trustworthy Computing program and Oracle's Unbreakable marketing scheme are indicators that attackers are having an impact on vendor's attitudes toward security. However, at the end of the day, it really doesn't matter what's being done for tomorrow if your software is vulnerable to attack today.

InformIT Articles and Sample Chapters

"Close Encounters of the Hacker Kind: Part 2 of the Story From the Front Line" describes what can happen when application security goes wrong. As Seth Fogie illustrates in this true story, a programming error in an application can have long-lasting global ramifications.

"SQL Server Attacks: Hacking, Cracking, and Protection Techniques," by Seth Fogie and Cyrus Peikari, takes a close look at the many risks associated with operating a database server, with a focus on web applications. You see firsthand how programming errors and misconfiguration can result in lost data or the complete compromise of a system.

Online Resources

"Advanced SQL Injection in SQL Server Applications," by Chris Anley, is an NGSSoftware Insight Security Research (NISR) publication. This paper is a must-read for any developer using a SQL server. While it assumes prior knowledge of SQL commands, it sets the standard for understanding SQL injection attacks. NGSSoftware is one of the top security companies dealing with SQL-related attacks and has discovered numerous SQL vulnerabilities.

"Unauthenticated Remote Compromise in MS SQL Server 2000," by David Litchfield, discusses the details of the SQL Slammer worm that made headlines early in 2003 with its infection of 200,000 computers in a few hours.

"Smashing the Stack for Fun and Profit" is credited with bringing buffer overflow attacks into the limelight. In this technical and detailed article, Phrack again provides an enlightening view into the world of the underground hacker as the concept of the buffer overflow is explained and illustrated in unparalleled detail.

Books and e-Books

Hackers Beware: The Ultimate Guide to Network Security (New Riders, 2001, ISBN 0735710090), by Eric Cole. A good defense starts with a thorough understanding of your opponent's offense. Hackers Beware teaches you how hackers think, what tools they use, and the techniques they utilize to compromise a machine. Eric Cole, a leading expert in information security, shows you not only how to detect these attacks, but what you can do to protect yourself against them. When it comes to securing your site, knowledge is power. This book gives you the knowledge to build a proper defense against attackers. (Preview this book on Safari)

Hack I.T.: Security Through Penetration Testing (Addison-Wesley, 2002, ISBN 0201719568), by T. J. Klevinsky, Scott Laliberte, and Ajay Gupta, is an excellent book covering many of the aspects of penetration testing. This book offers not only a glimpse into how hackers abuse applications, but how you can protect and defend yourself from attack. (Preview this book on Safari)

Windows Internet Security: Protecting Your Critical Data (Prentice Hall PTR, 2001, ISBN 0130428310), by Seth Fogie and Cyrus Peikari. The world's easiest-to-understand introduction to Internet security—get this book if you're just beginning.