Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
Blackboard Learn (Bb Learn) is an application suite providing educational technology
to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and
content. Common add-ons include the Community and Content systems which are
Over the last few years, vulnerabilities in web applications have been the biggest threat in information technology (IT) environment (Modsecurity, 2011). According to the open source vulnerability database (OSVDB), web application threats become almost fifty percent of all vulnerabilities in 2010 (HP DVlabs, 2010).
It has been suggested that Microsoft Server Software is more likely to be attacked than Linux (Broersma, 2005) due to perceived insecurities within these systems. Previous research has focused on investigating the trends2 against the underlying operating system as a whole (Honeynet Project & Research Alliance, 2005b, 2005a).
In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.
This paper will cover the concept of a Reverse Proxy by defining what it is and how it differs from a forward proxy. We will cover the benefits and drawbacks of using this technology as a part of our network infrastructure, along with the security advantages and possible risks.
Internet users all over the world are using web-based systems to manage important data for them such as bank account and healthcare information. Users assume that these systems are securely designed but many web applications have severe security flaws that allow simple attacks to succeed.
Web servers are open to many threats just by the nature of their exposure to the Internet. Although the inherent security built into web server products is improving, adding unique layers to the security design proves to be successful in almost any implementation.
It is all over the news: web based attacks are climbing, month over month, year over year. At the same time companies are attempting to combat such attacks, attackers are devising new methods to infiltrate systems. In the event you were on a reality show for the last few years and missed the latest news, just take a glance at these alarming statistic
This paper discusses how these requirements are met, primarily looking at how users are authenticated and login sessions maintained. We start by looking at the existing security measures for the basic website. Then we look at the various options for authenticating users in general, concluding that passwords are the only viable option.
Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino.
This document discusses several web authentication security techniques: Digest Authentication, Database Authentication, Anonymous Authentication, and N-Tier Authentication, used to provide web browser clients access to the file systems on their host computers.
The premise of this paper is to review various ways of protecting web servers from unknown attacks over port 80. The author examines the technology, explains why it is effective, and identifies areas where further diligence is required.
This paper will attempt to address what time and again is a problem for network and security administrators: monitoring user access to the Internet in an environment where blocking resources may not be ideal, cost effective, or in accordance with company policy.
The purpose of this paper is to provide systems administrators with a high-level overview of some of the major security considerations surrounding web applications that utilize Microsoft's Internet Information Server, SQL Server and Component Object Model (COM+), as well as links to in-depth technical information that expands upon the high-level topics discussed here. The author also discusses considerations for writing secure code, implementing secure DNS services, and packet filtering/proxy configurations, and explores the need for more interaction between systems administrators and development staff during the initial planning and design phases of the development cycle.
This paper examines securing two aspects of web applications (scripting language and application code) by focusing on ColdFusion (CF): default installation, two-step attacks, remote development, and security holes in the code, and input encryption, which are the major issues in most web applications.
Outlined in this paper are steps for securing an internet information server; such actions provided security enough to have protected many systems from the outbreak of the CodeRed worm and may have assisted in preventing spread of the Nimda worm - two of the most wide spread worms to have affected IIS systems.
Informational instructions on the IISlockdown tool including common exploits for IIS servers, best practices for installing the IISlockdown tool and information on tools used to test following the installation.