WebApp Sec mailing list archives
OWASP Columns
From: Mark Curphey <mark () curphey com>
Date: Thu, 25 Sep 2003 10:50:21 -0400 (EST)
I just wanted to let you all know that two great new articles are now online in the OWASP columns. http://www.owasp.org We had some hardware problems last weekend that meant the site was down for 3 days. We think it is solved although we still need to find reliable free, secure hosting in the long term. Our apologies if you couldn't get to the site. There Is More to Securing Web Services Systems Than WS-Security This column is about securing systems that are implemented in the Web services paradigm. The scope of this topic is huge and the issues are complex. Further complicating the problem is the fact that we are still very, very early in the life of the paradigm and most of the detail has yet to be worked out. However, since this is an evolutionary paradigm, even if we don't yet have all the specifics, we do know what the general classes of problems are . . . and where to look for them. So for now, in this column, we will be looking at the kinds of controls that will need to be implemented in order to secure systems that are built around Web services. We will focus on issues at the macro level here; there are some problems that exist independently of the choice of Web server, application server, authentication mechanism, etc. These issues, if not addressed, will result in exposed systems, no matter how well the WS* standards are implemented, whether secure programming techniques we re employed or how well the rest of the system is done. Read the full article here http://www.owasp.org/columns/gcapehart/georgecapehart1 IIS Security by Joe Lima The subject of this new column, IIS Security, is bound to occasion some chuckling in the server room. More than one sys admin will read it and think: "IIS Security -- isn't that a contradiction in terms?" It is possible to achieve and maintain an adequate level of security for Internet Information Services (IIS), Microsoft's Web server platform. If I didn't think this, I wouldn't have agreed to write a regular column on the topic. This is not to say that IIS security is a trivial task. There are plenty of challenges involved in making and keeping any Web server secure. Hence this column, which I hope will be a useful place for anyone interested in the topic to catch up on Microsoft IIS security fundamentals, keep abreast of the latest issues, and anticipate future challenges. Having said that, there is no denying that IIS has not always been as secure (or securable) as it needed to be, has become, and is becoming. That is where the reputation comes from, making the phrase "IIS Security" a source of potential amusement for harried sys admins. On balance, IIS' reputation has long since outrun reality here, but that reputation is fed by a real legacy of sub-par security. To inaugurate this column, we will take a hard look at the sources of IIS' legacy of insecurity, the reasons for its persistence, and the way progress against this perception has been made. Read the full article here http://www.owasp.org/columns/jlima/joelima1
Current thread:
- OWASP Columns Mark Curphey (Sep 25)