2008/12/01
TheRegister: Denial, exposure and online security
by Jeff Williams
Web applications have huge attack surfaces. Most sites have hundreds of URLs, and each function has plenty of parameters, form fields, cookies, and headers for attackers to play with.
One simple way to make your web application more secure is to minimize your attack surface. Let's look at five simple ways to do this.
Tighten up your URL space
The first step is to lock down your webserver, application server, application configuration, and code tree to be sure that you're not supporting any URLs that you didn't expect.
Ditch those hidden fields
Hidden fields are form values that aren't displayed to the user. When the user submits a form, the hidden fields are submitted just like any other form field. Attackers can easily change hidden field values to anything they want with browser tools like TamperData or WebDeveloper. Hidden fields are frequently quite vulnerable to attack because they're often overlooked when implementing validation.
Don't expose your privates
Most applications use parameters or form fields that reference data on the server by its name or ID. Attackers love to try to access unauthorized data by tampering with these "direct" references. For example, imagine a URL that references a file on the server.
Only accept good input
There are hundreds of thousands of Unicode code points and dozens of different encodings. This creates a huge attack surface for your application.
Deny by default
Don't slip into thinking that as long as your web application does what it's supposed to, anything else it does is okay. Instead, think of your application as an API that you're exposing to attackers. What shows up in your user's browsers is irrelevant, since attackers can invoke any method with any parameters.
Geek.com: Virtualization: A misunderstood winner for average users
by Rick Hodgin
There is a significant resistance toward embracing the concept of virtualized computers on the average user's desktop. I can tell you from personal experience that the benefits gained from virtualization are staggering on modern equipment.
While you will see a performance loss on some things, on others you will see the machine moving faster because there is no real hardware to update (just emulated drivers in software).
So, what is virtualization? Virtualization is the process of using your hardware to run a program which allows multiple operating systems to run inside of a single machine. Most people use a small-footprint install of Linux for the host along with VMware's ESX Server for the hypervisor (the thing that lets multiple operating systems run at the same time). However, Windows can also be used as the host - though it consumes more resources leaving less for the "guest machines."
The host can be thought of as a tool which allows multiple guest operating systems to be installed. For example, when Windows and VMware is used as the host, new virtual machines are created and operate within that framework. VMware allows as many operating systems as will fit in memory to run simultaneously, though most users will only run one or two simultaneously.
While running a single virtualized OS inside of a real OS might seem silly, there are significant benefits. For one, the virtualized machine can access all of the machine's resources, including other hard drives, the sound card, etc. And whereas this could as easily be done within the single OS, the guest OS is a disk file. It can be copied, backed up, ZIP'd up and emailed, saved as a restore point, etc., and all without the difficulties of using tools outside of the host OS. In short, Windows features can be used to backup the machine as easily as copying a file.
SearchCIO: Technology innovation drives data center of the future
by Sarah Varney
Kermit the Frog was right - it's not easy being green. But it's easier than it used to be. Enterprise-sized companies, including IBM and The Coca-Cola Co., have taken the lead in making sure their IT operations are as "green" as possible. But what about the green data center of the future? What strategies are in play now to move the data center beyond green?
Analysts agree that there will be no decrease in power demands from data centers. The good news is the 15% to 30% of the yearly increase in operating costs that companies have been experiencing seems to be leveling off. Increasingly, companies will seek "more efficiency using the resources you have" said Greg Clark, global portfolio director, data center services at Computer Sciences Corp. "We won't see a decrease in power usage by data centers in the future. It will be more about balancing power, space, and cooling." The granular details of data center infrastructures will become increasingly important to manage that balance, Clark noted.
There's no question that CIOs at large companies are already taking steps to make the data center more energy efficient. For example, companies have instituted water-cooling capabilities where possible, deployed "cold aisle" heating and cooling methodologies, and consolidated servers using virtualization. As with smaller companies, virtualization has provided a dual benefit: lower hardware costs and lower power bills.
