By sathyan on Mar 06, 2009
I will be speaking at this conference. Don't miss out this exciting session on GlassFish/MySQL/NetBeans.
I will be speaking at this conference. Don't miss out this exciting session on GlassFish/MySQL/NetBeans.
||Mitigation Plan Synopsis.
||Poor Selection of Vendor
||Consider a detailed Study about vendors
including current processes, customer references etc., rather than blindly believing the track record.
||Scope Creep- Scope of the project
getting wider with new requirements to be addressed.
|Phased approach with milestones and trade offs at various stages.
||Process and Quality standards incompatible with vendor.
||Agreed upon standards and processes must be part of the binding contract.
||Security breach including Confidentiality, IP and trade secrets.
||Require vendors to meet security standards and monitor with effective auditing.
||Infrastructure breakdown, could be a software/hardware/network
failure that may or may not be directly in vendor's control.
|Review and approve Business Continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.
||Poorly designed disaster recovery systems/processes.
||Review and approve Business Continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.|
||Reduced Employee motivation as outsourcing is perceived as loss of job.
||Establish Employee retention strategies such as retention bonus, performance map etc.,
||Be sensitive to cultural issues.
||Process non-alignment and differing governance model.
||Establish compatible and agreeable processes and include them as part of the contract.
||Increased labor rate as the project progresses. Vendor might try to
justify the increase with reasons such as Inflation, currency conversion fluctuations.
|Binding document should contain appropriate forecasts and waivers wherever applicable.
||Legal and Regulatory risks.
||Increase awareness about region specific laws and regulations to better plan for incompatibilities and allowable trade offs.
||Non-alignment of Management and Reporting Structure with vendor.
||Expect Governance model to be included in RFPs.
||Lack of control or insight into vendor progress.
||Well planned milestones, immediate deliverables along with appropriate documentation plan.
||Country specific issues such as differing laws, educational systems.
||Increase awareness of all stakeholders.
||Higher Project Transition cost.
||Factor in a detailed transition cost to overall project cost.
||Response time not within the acceptable/required limits as the vendor
is spread across time-zone.
|Flexible shits to respect time-zones and increased frequency of meetings.
||Project members of vendor lack project knowledge or technology know-how.
||Review vendor team selection process.
||Knowledge transfer issues such as inability to capture tacit knowledge.
||Recorded videos, tutorials, web casts to transfer knowledge.|
||Dependence on a single vendor for all outsourcing needs.
||Core processes, deliverables designed to be loosely coupled with vendor's technologies, processes.
||Increased cultural awareness through specialized trainings.
Major security forums (e.g., SysAdmin(2), Security (SANS) Institute(3) and the Open Web Application Security Project (OWASP)(4)) do a good job of constantly updating the community in great detail about security threats and mitigation techniques. The following are some well known and most often used vulnerabilities that pave the way for attacks against an organization's web server.
Let us look at the some of the of simple techniques that a web server administrator to secure web servers.
It is important to configure web servers appropriately and not rely on the default configuration. Configured correctly, it is possible even to prevent Denial-of-service attack from reaching the web-server. Denial-of-Service (DoS) attack is an explicit attempt to prevent legitimate users from using a service by some malicious users of the Server. Such an attack can be launched by sending continuous requests to the server for a particular web resource. Most of the web servers of recent times do provide easy mechanism to prevent such attacks. For example Sun Java System Web Server(5) can detect DoS attack by monitoring frequently accessed URI and denying request, if the request frequency is considerably high. It is very easy to tweak the server to prevent Denial-Of-Service attacks by configuring request limits and monitoring maximum number of connections per virtual server.
The more information web servers provide about themselves to the outside world, the more vulnerable they are to be attacked. Hackers are always looking for information to exploit vulnerabilities. HTTP response headers are information that is sent from a web server to its client applications(predominantly a web browser). A poorly configured web server might reveal information such as “web server version, operating system name and version” etc., Web server software like other software products have bugs in them and usually the vendors publicly alert their users of such bugs and strongly encourage them to apply fixes/patches to resolve them. If the version of the web server and the operating system it runs on is known to a hacker, it is easy to find out open bugs/vulnerabilities from its vendors site and base their attacks. Freely available programs such as websniffer (6) reveal http response header information. Below is a sample output gathered from hotmail.com web site where the web server version is visible.
The vendors do not turn off such header information as such information could benefit statistical companies such as Netcraft to gather data, but there are documented ways that an administrator could use to turn them off. As an administrator it is important to follow such post installation configuration to make web server more secure.
Search engines are so powerful to penetrate deep into web server during their preparation of index database. Popular ones such as Google uses sophisticated queries to get more information about a web site and unfortunately hackers just leverage the same mechanism. It is quite easy for an average surfer to peek into other people's websites using exploits in search engine mechanism. This type of attacks are very simple to execute but often could cause severe damages.(7) Though these type of attacks using search engines are collectively called as “Google Hacking”, the popular search engine Google is most often used. Network printers, VNCs, Automated cameras are some of the quite common targets of such attacks by average surfers. To avoid such attacks, an Administrator should configure “robots.txt” file correctly preventing search engine access to confidential and sensitive information. If the page has already been picked up by Google and has been cached, then tools such as as Google automatic URL removal system(8) should be used to secure web server. Google also provides other options for removing such information(9).
on the web server with appropriate authorities to prevent from URL manipulation attacks.
that comes with web server installation. Most of such tools do not follow the same security standard as the web server and hackers often exploit the server through them. Some of the scripts part of the samples are often used by hackers to stage an attack.
It is important to stay up-to-date with the vendor on fixes for bugs in web server. Wherever possible this process should be automated. Good auditing tools such as(showrev on Solaris(10)) will come handy to detect the status of the system.
Parameter Manipulation is a simple technique hackers use to exploit vulnerabilities in web applications and cause severe damage. This technique modifies data that is being sent from a web browser to a web server. Hackers modify the values of Form Fields, Cookies, URL Query Strings, HTTP Headers and Cookies to their advantage to attack. It is important for the web application developer to understand these sources of attack and take preventive mechanism as part of the application design and development.
This is the easiest of attack that can be performed on a poorly designed/written web application. The functionality provided by almost all of the web browsers on the market “the ability to read the html source” is mis-used by hackers to their advantage. HTML forms use visible and hidden form fields to accept user input and pass them to the web server to be used. Hidden form fields serve the purpose of hiding the values from users are most of the times used by web developers to conveniently store local variables required for the application. This is a very bad design as the attacker could simply read the file, find out the hidden field and manipulate the values before sending it to the server .
Mitigation Techniques: Hidden form fields should be avoided and their usage should be replace by session variables if possible. Other approach would be to encrypt and decrypt the values to be hidden programmatically on the browser and server side respectively using a well known encryption mechanism such as MD5.
The protocol used widely in internet HTTP is stateless, meaning that it cannot be used for conversational style of communication. Cookies are used to achieve this. Cookies store data to enable such communication. They store data temporarily for a session or permanently depending on the application needs. There are tools such as Winhex(12) to modify the local data. The following example shows a simple modification that can fool a poorly written web application to execute with “administrator” rights. “Cookie: lang=en-us; ADMIN=no; lvar=1 ; “ can be easily modified to “Cookie: lang=en-us; ADMIN=Yes; lvar=1 ;”.
Mitigation Techniques: Cookies should be avoided to the extent possible and replaced with session variables. In some cases where cookies need to be used, they should be encrypted and validated against session information stored on the server side.
HTTP headers hold control information on HTTP request coming from a web client to a web server. Though it is not easy to modify the headers, hackers sometimes make programmatic alterations to the headers often times to take control of the web site or to act as a precursor for other manipulation attacks. One of the field in HTTP header that has been known to get altered is the REFERER field. Simple tools such as modifyheaders(13) makes the job of hackers easy.
Mitigation Techniques: As a web application developer, never rely on REFERER field.
HTML forms are submitted to the server using one of GET or POST http methods. When GET is used, the parameters and values passed to the server are added as part of the URL. This enables malicious users to modify the URL and alter the parameter values to their advantage to orchestrate an attack.
This type of attack is enabled by vulnerabilities in web applications wherein malicious code can be injected(could be html or client-side application) to carry out the attack. Most common way of XSS attack is to bypass access controls. Generally another script or executable is invoked as part of the malicious code to cause damage.
Mitigation Techniques: Simple programming techniques such as filtering out dangerous characters as part of the validation will help. XSS vulnerability scanners come handy during development of such web applications.
SQL Injection attacks are done by injecting SQL strings to access database through web applications. This is an easy attack to carry out if the application that is the target of the attack dynamically creates SQL Queries based on user entered parameters that are not validated. For example, a basic HTML form might have two input fields to allow users to log in to a Web site with a username and password. If the database query that looks up the information relies on the user's input for its variables, without validating that input, the database can be compromised by adding a string to the password input field. For example the query SELECT \* FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); that is hardcoded in the web application, can be easily altered as txtuid is user input value. The modification could be changes to the parameter values to cause destruction or appending destructive SQL command(s) to the end of the query strings by using malicious input field values.
It is also important to test the application during development using automatic SQL injection tools. For example SQLMap(14) is one such automatic blind SQL injection tool. SQLNinja(15) is another one.
1).Never trust input, especially user input, always validate input.
2).Do Not Make Security Decisions Based on Parameters Accessible on the Client-Side.
3).Follow well established/tested security standards.
4).Use scanning tools: Most of the parameter manipulation attacks can be prevented if developers use scanning tools. A lot of scanning tools are available to identify such vulnerabilities during web application development period itself. Leveraging such tools combined with awareness and intelligent coding would prevent most of parameter manipulation attacks. Some of the popular web application scanners are listed here
1).Scando Web application scanner from Kavado
2).WebInspect from SPI Dynamics
3).Web Vulnerability Scanner from Acunetix.
4).AppScan from watchfire.
A refresh of "GlassFish V3 Technology Preview 2 Application Server" bundle is available now for download. More information on the preview is available here.
The installation program of this refresh bundle, developed using OpenInstaller has a graphical user interface. This distribution is available as a download in addition to a platform-independent zip file. The installer is available as a self-extracting executable on all of the supported platforms.(Windows, Unix).
Please follow the installation instructions under https://glassfish.dev.java.net/downloads/install/v3-preview2.html.
Also make sure that you register the product when prompted by installer. Registering your installation provides you with Access to latest information on product patch and bug updates, very useful screen casts and tutorials covering various technologies part of GlassFish and product support offerings.
Attached are some of the screen shots taken out of the installer run.
I will soon be writing/sharing with you my thoughts on different areas such as Database, Security, Servers(App/Web), Product Marketing, IT Policies, Knowledge Management, Interesting analysis of strategical paths that some companies have adapted. Please visit back soon and I hope I can entertain you.
"The more you share, the more you learn.".
"Sun Java System Application Server 9.1 Update 1 with MySQL Community Server" bundle is available now for download.
GlassFish is the name for the open source development project for building a Java EE 5 application server. Visit https://glassfish.dev.java.net/ for more info.
MySQL is the world's most popular open source database software, with over 100 million copies of its software downloaded or distributed throughout its history. Visit http://www.mysql.com/ for more info.
I was the Engineering Lead for this exciting project that provides a distribution of GlassFish V2 U1 with MySQL Community Server 5.0.
Look for items titled "Start MySQL 5.0 Database" and "Stop MySQL 5.0 Database".
Many people to Thank for their support and help at various stages of this project with aggressive schedule.
Anil Gaur, Abhijit Kumar and Eduardo Pelegri-Llopart for their support throughout this project, Carla Carlson for Program Management, Alex Pineda and his group for testing, Steve Carusso and his team for ensuring Compatibility, Carolyn Wong for all her help in hosting the bundle, Terena Chinn-Fuji for Release Engineering, Chinmay Srivatsava for providing documentation, Sreenivas Munnangi for verifying samples integration with this bundle and many others.
If you have a Mac or Macs(Actually I have two :-)), then try the
following keys(at your own risk :-))
Want to know how GlassFish/Sun Java System Application server could be installed on Solaris zones?
Have issues setting up installation environment for such scenarios? Please look at my latest article
on Installing GlassFish on Solaris Zones.
There are many distributions of Sun Java System Application Server built on top of glassfish. Here is a list of them. This list applies only to the current version of glassfish(V2) and Sun Java System Application Server 9.1.
Please visit http://java.sun.com/javaee/downloads/index.jsp for more information
Except for the ant based glassfish installers, all other installers are patchable and upgradeable.
For file based installation, in-place binary upgrade would mean installing a full distribution on top of an existing install base.
The installer is designed to take care of this. Upgrade and Patching is currently not tested on SDK installers. Though "Sun Java System Application Server" component part of SDK installers would support upgrade/patching, other components included in these distributions may or may not support it for each particular release.
For native package based installers, binary upgrades are handled through installer and patches will be handled through native patching wherever possible.
Application upgrade(domain upgrade) for all of the above installers are handled through upgrade tool bundled and installed as part of the product binaries.
I came across this blog entry http://blogs.sun.com/sundararajan/entry/my_son_s_windows_magic. I have observed this + interestingly one can also use "ctrl + alt + right arrow key" and "ctrl + alt + left arrow key" to rotate the whole desktop view :-)
The glassfish installer does not currently support this. However the command line
to do this is pretty simple, except for the number of slashes to worry about(a real head-scratcher).
Here is an utility that automates this.
BTW, this is automated as part of Sun Java System Application Server 9.x Platform Edition installation.