Best Practices
Thinking Beyond Security Assessments
by Kumar Manivel in August 2010
Security assessments have been performed for my entire infrastructure and applications, what else? Most of the time, we see that customers feel completely safe after a security assessment of their infrastructure. However, this should not be the case, because factors such as frequent changes in organization infrastructure, various patch releases from software and hardware vendors, new (untrained) employees, and new security threats, will lead to security breach. Security is not a product but a process.… more →
Why Static Analysis?
by Vivek Shetti in August 2010
XYZ organization had their critical financial application tested by an information security company. The tests found that the application had adequate security controls in place for protection against hackers. Even the web server on which the application was hosted was well-protected. A week later, the application was hacked and important financial details were compromised. On analysis, it was found that the attacker gained entry into the application through a backdoor that allowed him to access the application as a high-privileged user.… more →
Secure coding techniques in ASP.NET - Part 2
by Jaideep Jha in April 2010
In continuation of the secure coding techniques in ASP.NET series we will be talking about another programmatic implementation of the anti-CSRF token, and protection against session fixation attacks.… more →
An Attack Response Model for a Network Compromise
by Sudhindhar J in February 2010
An Incident, in the context of this article can be defined as an adverse event that endangers the security of computing systems or networks. Examples of incidents could include activities such as repeated attempts to gain unauthorized access to a system or its data, unwanted disruption or denial of service, changing system Hardware or Software characteristics without the owner’s knowledge or consent.… more →
Top 5 Secure Coding Tips for PHP applications
by Reena Agarwal in December 2009
In this article, we will be looking at the top 5 best practices to develop secure code in PHP. These include filtering of input data to eliminate unexpected input, securing database queries using parameterization, filtering of output data, error handling through custom errors and preventing other forms of injection attacks.… more →
Secure coding techniques in ASP.NET - Part 1
by Siddharth Anbalahan in December 2009
A number of applications today are developed with a web interface, and if the Operating System in use is Microsoft Windows then ASP.NET seems to be the ideal choice. Microsoft has taken great initiative in ensuring the ASP.NET framework has some built-in security features that help programmers to develop secure web applications. In this 3 part series, we will be talking about the different components of ASP.NET that programmers can leverage to develop secure web applications.… more →
Best Practices for Protecting Banking Sites
by Terence Cornelius in August 2009
The scale of the global criminal operation on the internet has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds - 24 hours a day, 365 days a year. With statistics like that it is highly possible that at least one of your bank’s websites is already a victim. At least you should be wondering about the security of your websites very seriously. Nowadays, defaced banking websites or fraudulent sites posing as your website aren’t the only worry. Even your actual production website can be dangerous if hackers can get their hooks into it.… more →
Securing PHP using Hardening Patch and Suhosin
by Avinaash Acharya in June 2009
The National Vulnerability Database shows that 953 vulnerabilities were discovered in PHP during the first quarter of 2009. Most of the PHP vulnerabilities can be exploited remotely. Threats to database and web servers linked to PHP applications are high since PHP programs are executed dynamically on the server side. So when it comes to PHP Security, ignorance is definitely not blissful. There are several methods to secure PHP. We discuss the use of hardening patches and its extensions in this article.… more →
Meeting compliance requirements through application & network penetration tests and code reviews
by Rajesh Gopinath in April 2009
In our February issue “Measuring the Value of Remote Application Security Testing” Paresh talked about the value of remote application security testing and specifically what our clients look for in a remote application security test. One of the points that came up in the article was regulatory requirements. This was expected. Organizations are now forced to follow high standards to protect customer data. While regulations such Sarbanes Oxley, GLBA and FISMA don’t clearly state that application and network and penetration tests and code reviews are required, it’s obvious that there is a strong emphasis on regular testing in one form or the other. With PCI DSS becoming mandatory for organizations handling payment card holder data, organizations now have to perform regular network and application penetration testing. Let’s look at some of the regulations and standards and their stance on penetration testing and code reviews. … more →
Selecting Application Security Vendors – Part II
by Sachin Varghese in February 2009
In March 2005, Jose Varghese outlined the best practices for selecting application security vendors in Palisade. That article gave pointers to mid size and large enterprises who are leveraging external application expertise or intending to leverage external resources. Fours year later, we review the themes in that article. Have those criteria changed over these years when application security has moved from back-stage to center-stage? As we reviewed the criteria, we observed that the core principles Jose laid out in 2005 still hold true.… more →
SAP Baseline Security Audit
by Rajesh Gopinath in October 2008
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit program and is ideal for generating a quick win early. This article outlines the areas covered under the SAP Baseline Security Audit we perform.… more →
The Payment Application Data Security Standard (PA DSS)
by Sangita Pakala in July 2008
PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard. Remember that the biggies of the credit card industry put their heads together and came up with Payment Card Industry Data Security Standard (PCI DSS). Their aim was to protect the “Cardholder’s” data. PCI DSS was first released in 2005 and then revised in October 2006. PCI DSS has a few requirements that talk about securing web applications that deal with cardholder’s data.… more →
Mobile Banking - Threats and Mitigation
by Suraj Sankaran in June 2008
In my previous article, I had explained the two common mobile banking architectures and exchange of information using one of the architectures. In this article, I’ll be explaining the threats observed and an ideal process to overcome these threats. The explanation would be based on the information exchange for the architecture discussed in my previous article. Each phase has the threats mentioned and a secure process to ensure these threats are mitigated.… more →
Phishing Questions
by Roshen Chandran in November 2006
Our series of articles on Phishing - Protection , Detection , and Incident Response evoked several questions. In this issue, we answer three of the most interesting questions we came across. Please keep the questions flowing, thank you!… more →
5 Tips for Securing Software as a Service
by Roshen Chandran in October 2006
Field notes on how best to secure “Software as a Service”(SaaS). We ran into 12 SaaS apps last quarter - we were asked to test them. Here’re our field notes from those assignments, our favorite security tips to SaaS developers:… more →
Securely Webifying Applications
by Roshen Chandran in October 2006
We see a recurring pattern of security errors when organizations migrate their legacy applications to the web. This Executive Briefing documents the most common security mistakes we have seen in the last 5 years.… more →
Securing IIS Web Servers
by Siddharth Anbalahan in September 2006
In our previous article we showed how to securely deploy one of the most popular web servers, i.e. Apache web server. In this article we cover how we can secure the IIS 6.0 web server. Microsoft’s initiative towards security, Trustworthy Computing, is based on four pillars as defined by Microsoft:… more →
Are Complex Passwords Really Necessary?
by Roshen Chandran in August 2006
Why it’s silly to enforce passwords like “2@$Rw0rd~” in web applications. Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.… more →
Securing Apache Web Servers
by Siddharth Anbalahan in July 2006
According to Dr. Johannes Ullrich, CTO of the SANS Institute’s Internet Storm Center, "web application attacks account for a significant portion of hacking activities across the Internet." Securing web servers is an important step towards preventing some of the most common application layer attacks. Netcraft Web Server Survey, June 2006 recorded that Apache is the leading web server in the market with a market share of 61.25%. In this first part of the two part series, we will look at some of the general secure configuration settings of Apache web server.… more →
Thick Client Application Security - Defenses
by Balaji V in May 2006
In the first article in this series, we saw the various attacks on two-tier thick client applications. This part will discuss about the defense mechanisms available to tackle those attacks.… more →
Pharming on the Net
by Nilesh Chaudhari in March 2006
You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. Pharming is phishing on steroids.… more →
Implementing Password Recovery
by Deepu Thomas Philip in January 2006
Password recovery is a process which becomes necessary when a genuine application user is unable to authenticate due to lost or forgotten passwords. We look at the various challenges in a secure password recovery implementation.… more →
Interviewing software developers
by Shaheem Motlekar in November 2005
When do you get secure software? When your developers know how to write secure software. That is a no-brainer; yet how often have you quizzed your developers on application security while recruiting them? We present some questions to ask in your next interview in this article… more →
Encrypting data in Databases
by Priyali Vibhute in June 2005
Organizations take a lot of steps to protect their confidential data. Almost all security measures including encryption are considered only while transferring information on the wire not while storing it in the database. More often than not, it is stored as clear text in the database. In this article we see how database encrytion can enhance the security of our data. … more →
Selecting Application Security Vendors
by Jose Varghese in March 2005
Traditional security has always been focused on perimeter defense. With most of the organizations having strengthened their perimeters with Firewall, VPN and intrusion detection systems, attackers have shifted their focus to the application layer. Most of these attacks are far more damaging that network layer attacks and primarily focus on the weaknesses in the application like poor input validation; insecure sessions management etc. For effective security, it is important for the enterprise to ensure that all business applications are tested for security as rigorously as they are tested for functionality and performance before they are deployed in production… more →
Best Practices in Input Validation
in December 2004
Last week, I polled our consultants on the most common software security errors they saw in 2004. Consultants from across our offices pointed out how simple input validation errors continue to be the #1 problem they see daily. This is really not a new problem; it’s just been a difficult one. I asked them for their list of best practices for validating inputs the top 10 recommendations they have been making to clients on input validation. Here’s the list they came up with… more →
Catch'em Young - How to discover vulnerabilities early
by Roshen Chandran in November 2004
Bugs are introduced at every stage in the development lifecycle. Some of them are caught quickly in the same stage itself. However, many are caught only much later. Here’re the systems we find to be most effective to address security bugs… more →
Application Logs - Security Best Practices
by Dipesh Rawal in October 2004
Security logs capture the security-related events within an application. They help detect security violations and flaws in application, and help re-construct user activities for forensic analysis. Short listing the events to log and the level of detail are key challenges in designing the logging system. This article simplifies the selection by presenting the options that many critical applications chose… more →
Controls for Outsourcing Software Development
by Giridhar T M in October 2004
When you outsource software development, how do you ensure that security has been adequately addressed by the vendor? In this article we look at the controls that you need to be put in place over the vendor regarding the various stages of the development lifecycle… more →
Training your Developers
by Shaheem Motlekar in September 2004
The most effective way to secure applications is by writing them securely; and the best way to achieve this is by training your development team to write safer applications. This article presents the key components of a security program for your development team… more →
Security at Software Requirements Specification
by Roshen Chandran in August 2004
Applications designed with security in mind are safer than those here security is an afterthought. Traditionally security issues are first considered during the Design phase of the Software Development Life Cycle (SDLC) once the Software Requirements Specification (SRS) has been frozen. That’s one stage too late.… more →
Authentication - Security Best Practices
by Roshen Chandran in July 2004
Authentication modules are the most exploited pieces in a web application. We look at ten good practices that ensure your authentication system is safe against an attack… more →