[Web4lib] Web application security software

Andrew Hankinson andrew.hankinson at gmail.com
Mon May 7 23:52:25 EDT 2007


As someone who's currently cleaning up a hacked server, I can attest  
that this is a very real concern.

There are some precautions you should take:
1.) As Cary mentioned, every application should have a separate  
database username and password for privileges only to that database.
2.) Close down your firewall to be as restrictive as you can be.  If  
you need things like SSH, consider restricting access to this from an  
internal IP and using VPN to connect.
3.) Keep your PHP scripts up-to-date.
4.) Keep your operating system up-to-date.
5.) If you're running on a *nix server, investigate the appropriate  
permission settings.
6.) We're considering mounting our data directory as a read-only  
share from a second server, so that even if they gain access to the  
public-facing machine, they cannot affect our data.
7.) If you're running something that can be restricted to  
authenticated users, do so, preferably with an SSL connection.

Andrew

On 7-May-07, at 6:41 PM, Cary Gordon wrote:

> This would be great, if it existed. Unfortunately, the nature of Web
> application vulnerabilities makes this kind of tool effectively  
> impractical.
> Unlike scripted hacking, SQL injection attacks are usually a hands on
> activity.
>
> Assuming that you are not writing these applications yourself,  
> there are two
> approaches to protecting yourself and your users. The first thing  
> to do is
> isolate online applications so that even if they are successfully  
> hacked,
> they can't bring down your system or expose confidential data. You  
> can do
> this by establishing a separate database for each application, then  
> creating
> a database user who only has writes to perform the operations that are
> required for the application. Only give the user write privileges  
> for the
> tables that they need to write to. The user you create should have no
> privileges in other databases.
>
> It is absolutely amazing to me that folks still set up online  
> applications
> where the database user is the system administration account. This  
> is a very
> bad idea.
>
> On a more abstract level, be judicious in your choice of  
> applications. Ask
> questions and, if you don't find the answers you are looking for,  
> move on.
> If you have the skills, you can set up a test installation and try  
> to hack
> it yourself. I have heard of folks doing this then inviting hackers  
> to try
> to bring it down, offering a prize for a successful attack. I don't  
> think
> that this is a good approach for libraries <g>.
>
> Cary Gordon
> The Cherry Hill Company
> http://www.chillco.com
>
>
> -----Original Message-----
> From: web4lib-bounces at webjunction.org
> [mailto:web4lib-bounces at webjunction.org] On Behalf Of
> Genny.8215832 at bloglines.com
> Sent: Friday, May 04, 2007 7:24 PM
> To: Web4lib at webjunction.org
> Subject: [Web4lib] Web application security software
>
> Over the past couple of years we've been adding more and more web- 
> based
> applications and scripts to our public web site.  I am getting  
> concerned
> about inadvertently opening up SQL injection vulnerabilities and other
> security holes.
>
> Anyone
> else looking at this topic?  Did you get any kind of web application
> security scanning software?
>
> Thanks,
> Genny Engel
> gengel at sonoma.lib.ca.us
> Sonoma
> County Library
> www.sonomalibrary.org
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/



More information about the Web4lib mailing list