Overview
In keeping with our transparent approach to sharing knowledge, Corsaire invest time into writing white papers in order to help share best-practice principles and proven information security techniques with the wider community. This section includes a selection of our latest white papers that have been placed in the public domain. Further papers are available to our clients.
The whitepapers held in this section are intended for a technical audience.
Assessing Java clients with the BeanShell
By Stephen de Vries, August 16, 2006
Assessing the security of Java applications, and particularly client-server applications, can be a tedious process of modifying the code, compiling, deploying, testing and repeat. This becomes even more difficult when the source code to the application is not available. What we require is an easy means of interacting with the internals of a Java application during execution without recompiling the code. The BeanShell (http://www.beanshell.org) provides an interpreted, scripting environment that can plug in to any Java application or applet and allows users to inspect and manipulate objects dynamically. This paper demonstrates a technique for using the BeanShell to assess the security of a typical Java client-server application.
Security Testing Applications through Automated Software Tests
By Stephen de Vries, May 31, 2006
Testing software during the development phase has become an important part of the development lifecycle and is key to the agile methodologies. Code quality and maintainability is increased by adopting an integrated testing strategy that stresses unit tests, integration tests and acceptance tests throughout the project. But these tests are typically only focused on the functional requirements of the application, and rarely include security tests. Implementing security in the unit testing cycle means investing more in developer awareness of security and how to test for security issues, and less in specialised external resources. This is a long-term investment that can vastly improve the overall quality of software, and reduce the number of vulnerabilities in web applications, and consequently, the associated risks.
A Modular Approach to Data Validation in Web Applications
By Stephen de Vries, January 16, 2006
Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough data validation in modern web applications so that the benefits of modular component based design; extensibility, portability and re-use, can be realised. It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits of a number of common data validation methodologies. Finally, a modular approach is introduced together with practical examples of how to implement such a scheme in a web application.
Securing Mac OS X 10.4 Tiger
By Stephen de Vries, August 19, 2005 (updated May 17, 2006)
This guide is an updated version of the guide for Securing Mac OS X (10.3) Panther and covers the new security features offered by Tiger as well as incorporating additional security guidelines that were omitted in the original guide.
Securing Mac OS X 10.3 Panther
By Stephen de Vries, June 22, 2004
Mac OS X (10.3) provides many built in security features that, when fully utilised, can greatly reduce the risk of a security incident. OS X is one of the most secure default installations when compared to other operating system. The install follows the accepted best practice of disabling all network services unless explicitly enabled. The default security settings should suit the needs of most users in a workstation setting. This guide is aimed at users in environments requiring stronger security controls in an operating system, making full use of the protection features offered in OS X. It would also be of use to system administrators wishing to enforce an organisation wide desktop security policy for Mac OS X.
Secure Development Framework
By Glyn Geoghegan, April 5, 2004
This paper deals with developing a secure framework, both for internal and outsourced development. Within this context, secure development is considered to be the process of producing reliable, stable, bug and vulnerability free software. This paper focuses on why a secure development framework is needed, touches on its benefits and provides an overview of how organisations can implement such strategies successfully. A simple software development model is used as an example in the paper, but the theories are expected to be developed and adapted to suit the specific methodologies and goals of any environment.
Cookie Path Best Practice
By Martin O'Neal, April 5, 2004
Cookies provide a method for creating a stateful HTTP session and their recommended use is formally defined within RFC2965 and BCP44. Although they are used for many purposes, they are often used to maintain a Session ID (SID), through which an individual user can be identified throughout their interaction with the site. For a site that requires authentication, this SID is typically passed to the user after they have authenticated and effectively maintains the authentication state. If an attacker can use a mechanism (such as sniffing or cross site scripting) to gain access to the SID, then potentially they can incorporate it within their own session to successfully assume the users identity.
Application Level DoS Attacks
By Stephen de Vries, April 1, 2004
Denial of Services (DoS) attacks aimed at disrupting network services range from simple bandwidth exhaustion attacks and those targeted at flaws in commercial software to complex distributed attacks exploiting specific COTS software flaws. These types of attack are not new and have been used to devastating effect to prevent normal operation of the victim sites. Historically, these attacks by hacktivists and extortionists alike have targeted companies as diverse as eBay and Microsoft, the RIAA and SCO, and a plethora of online gambling companies. Attackers have not, as yet, exploited the full range of vulnerabilities present in many online services - particularly attacks aimed at the application and data processing layer. With the rise of increasingly targeted and motivated attacks and attackers, these application level DoS attacks will inevitably be exploited for nefarious gains.
Surviving DDoS Attacks
By Stephen de Vries, February 11, 2004
Distributed denial of service (DDoS) attacks aim to disrupt the service of information systems by overwhelming the processing capacity of systems or by flooding the network bandwidth of the targeted business. Recently, these attacks have been used to deny service to commercial web sites that rely on a constant Internet presence for their business. The attacks differ from traditional DDoS attacks in the targeted nature and shear number of attacking hosts. Even hardened Internet companies such as the SCO group and Microsoft are not immune to attack, and historically high-profile e-tailers such as eBay have had their services disrupted. The threat from the latest attacks has become greater due to the political and financial agendas of those instigating them, particularly the involvement of international organised crime in protection extortion attempts. There is no simple solution to mitigate the risk of these attacks, but there are strategies that can help minimize the impact of a large-scale attack.
