Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISA Server and SQL Injection

from [Jan P. Monsch] Network Security [Permanent Link]
Subject: Re: ISA Server and SQL Injection
Date: Tue, 01 Mar 2005 22:36:43 +0100 
Hi there!

I have lots of discussions with customers regarding the issue of perimeter application filters. May conclusion regarding the issue is as follows:

1. Validation in the application itself is the best and most efficient way of handling code injection problems. Because the application knows about its domain but the gateway filter not. In addition the application can provide appropriate error messages for incorrect input.

2. Output validation is much better then Input validation, because most problems are related to incorrectly encoding input parameters into output. In addition proper output encoding allows to use critical characters like < > within the application. This is especially important in back-office applications.

3. Output validation should be handled in a security framework, built by a security expert. It must be implemented such that the business developer has not to worry about encoding stuff. (I know this is a ideal world szenario)

4. In may opinion validation on the gateway does only make sense if it used in a transitional way until input/output validation in the application has been implemented or it is used as a part of intrusion detection.

Regars Jan



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Preventing direct URL access in a J2EE environment, Saqib Ali
Next by Date:  eBanking Security Testing (network and application) Methodology Released, peter
Previous by Thread:  Preventing direct URL access in a J2EE environment, Kevin Conaway
Next by Thread:  Re: ISA Server and SQL Injection, christopher
Indexes:  [Date] [Thread] [Top] [All Lists]