[Web4lib] Web application security software

Cary Gordon listuser at chillco.com
Mon May 7 18:41:58 EDT 2007


This would be great, if it existed. Unfortunately, the nature of Web
application vulnerabilities makes this kind of tool effectively impractical.
Unlike scripted hacking, SQL injection attacks are usually a hands on
activity.

Assuming that you are not writing these applications yourself, there are two
approaches to protecting yourself and your users. The first thing to do is
isolate online applications so that even if they are successfully hacked,
they can't bring down your system or expose confidential data. You can do
this by establishing a separate database for each application, then creating
a database user who only has writes to perform the operations that are
required for the application. Only give the user write privileges for the
tables that they need to write to. The user you create should have no
privileges in other databases.

It is absolutely amazing to me that folks still set up online applications
where the database user is the system administration account. This is a very
bad idea.

On a more abstract level, be judicious in your choice of applications. Ask
questions and, if you don't find the answers you are looking for, move on.
If you have the skills, you can set up a test installation and try to hack
it yourself. I have heard of folks doing this then inviting hackers to try
to bring it down, offering a prize for a successful attack. I don't think
that this is a good approach for libraries <g>.

Cary Gordon
The Cherry Hill Company
http://www.chillco.com


-----Original Message-----
From: web4lib-bounces at webjunction.org
[mailto:web4lib-bounces at webjunction.org] On Behalf Of
Genny.8215832 at bloglines.com
Sent: Friday, May 04, 2007 7:24 PM
To: Web4lib at webjunction.org
Subject: [Web4lib] Web application security software

Over the past couple of years we've been adding more and more web-based
applications and scripts to our public web site.  I am getting concerned
about inadvertently opening up SQL injection vulnerabilities and other
security holes.

Anyone
else looking at this topic?  Did you get any kind of web application
security scanning software?

Thanks,
Genny Engel
gengel at sonoma.lib.ca.us
Sonoma
County Library
www.sonomalibrary.org
_______________________________________________
Web4lib mailing list
Web4lib at webjunction.org
http://lists.webjunction.org/web4lib/



More information about the Web4lib mailing list