security
Attack Detection and Remediation with RIA’s
First off, What is a RIA – RIA is the term used to represent all web 2.0 type frameworks and technologies. It stands for Rich Internet Application. This encompasses frameworks like Dojo and Appcelerator.
Many security experts have gone into great detail to outline how RIA’s and AJAX based applications can be insecure or to present new ways to use old attacks against these applications. However, I have not seen anyone attempt to find a positive security aspect around RIA’s. In this article I will outline one way that the rise of RIA’s can be leveraged to provide a more secure website.
The requirement of javascript to use RIA’s or AJAX enabled websites is quickly becoming an Internet standard. A small portion of users still refuse to run javascript because of security risks but this will probably go the way of the cookie disabling of the 90’s. Since javascript is becoming a standard it makes the requirement of having javascript enabled more feasible.
With the requirement of javascript, RIA’s offer an interesting opportunity to more accurately detect attacks. Frameworks like Appcelerator have built in validators but as we all know, javascript validators can be bypassed. This is why all developers must use server side validation. The coupling of client and server side validation presents the opportunity for web application to do more complex attack detection and remediation.
By exactly matching the client side and server side validation mechanisms we can accurately tell if someone is attacking an input. Here is how: Say that we have built a new site using PHP and Appcelerator. Appcelerator has built in client side validation of fields, such as valid email address checking using regex. This will provide the immediate error feedback via javascript that users love. For the server side validation we will use the exact same regex. Knowing that both the server and client side validation is exactly the same and that javascript is a requirement to use the website, we now know that if we get a request on the server side that doesn’t match the regex then our javascript was bypassed.
Lets look at an example. A user visits the site and has javascript enabled and therefore receives any error flags on the client side. The user types an attack in a username field and then receives an error letting them know that this is not valid data. The next step is to either disable javascript or use a proxy to change the request. Since the site doesn’t allow rendering without javascript the user uses a proxy. On the next attack your server side validation receives a request that doesn’t meet the regex then it can be assumed to be an attack.
The core fact to keep in mind is that RIA’s require javascript to use the site. Therefore if javascript is disabled then the user will not be allowed to use the site or will be redirected.
The next step is to log attacks and execute remediation in real time. Since the attacks are validated at two layers, when the bottom layer receives an attack it is less likely to be a false positive. Since it is less likely then it will receive a higher certainty value. The attack certainty values can then be stored with the corresponding IP address for calculations. In my live testing I used a cron script to run calculations on the attacking IP address and then block the IP once it meets a certain attack threshold.
The key to this system is how attack metrics are assigned. Say for instance your site uses a RIA but also allows people without javascript to browse. In this instance the system would detect that javascript was disabled and as a result lower the attack certainty value. Adding other security systems such as PHP-IDS would result in a greater level of attack detection. These two systems coupled together will provide enormous insight into the number of times your site is being attacked and how.
BarCamp Atlanta 2 – The Final Hours
The final hours of BarCamp was a testament to how much everyone wanted share knowledge and learn from each other. Everyone was tired, some hung over, and many just waiting to go home and pass out for a day or two. Either way, here is an overview of the last sessions that I attended.
After lunch I attended Russell Journey and Loren Normans overview of Amazon Web Services. We received a quick overview of Amazon EC2 and then talked about when to make the switch from your standard hosting environment. The consensus seemed to be that you never actually make the switch. EC2 and other services are really built to assist in making your application fully scale when traffic starts to flood in. One example use is to have you website configured to spin up new EC2 instances when a certain load is met. With the correct structure EC2 is a cheap alternative to building out your own infrastructure and can easily handle getting Slashdotted or making the Digg front page. The second part of the speech was a flurry of URL’s to help developers more easily handle instances and cloud services. Here is a list in case you are researching cloud services and management. It also include some of the audiences preferred web hosts
- bluehost.com
- slicehost.com
- ylastic.com- I believe someone said these guys were local.
- rightscale.com
- scalr.net
Next I jumped into a security talk from Shauvik. He was giving an overview of the latest web security, projects, and updates. He went over various FF extensions used for auditing and some tools from OWASP.
Tools:
- FireCat
- Live HTTP Headers
- Wikto
- Nikto
- W3AF
Following the security update I sat in on the Mini Startup Gauntlet session paneled by Lance, Sanjay, and Don. For those who are not familiar with Startup Gauntlet it is a reoccurring event in which you present you startup pitch and the panelist tell you how to make it better. During the mini version there were presentations by Russell Journey, Mike Mealling, and Tejus.
Tejus completed his pitch of SCMPLE and I had to rush out to give one of my presentations which was Attack Detection and Remediation using RIA’s. I will have full posts up on my presentations shortly.
Now it was time for the last session of the day. Actually, it was the second to last but it went so well that most people turned it from a 30 minute session to an hour. Doug hosting the open discussion about tagged Open Source: The who, what, when, where, and why. Since most people in the room could fill in those answers pretty rapidly we attempted to think on a deeper level about open source. By doing this we really expanded the conversation. Here are some example answers that were written on the large white papers surrounding the room.
What: Other than software what are other uses, copyright and media,
- Who: attributes of who? Customers are architects and devs, freelancers, cheapasses, savvy cio’s, “do it yourselfers”
- When: when to use the Open source structure/arch?
- Where: everywhere
- Why: cost savings, community / collab, learning, better and easier to maintain, ready made consulting markets,
- How: more freelance help, google code
- How much: is open source free, jboss was purchased for 360,000,000 , mysql was bought for 1.2B, redhat 30% yr over yr growth for 4 years running,
As you can see, many of these were more questions just to expand the topic. We spent much time analyzing companies that were open source/free, open source enterprise, commercial open source, and other forms of hybrids. Overall my biggest take away was that the word open source has really gotten skewed over time. In the past and even today many people treated open source as if it was synonymous with free. For a period of time that was somewhat accurate. However, some of the largest open source companies today don’t have as much to do with free software as when they started. Overall this was a very compelling end to BarCamp.
Lastly I have to thank everyone who made it happen.
If it weren’t for Mike Mealling and Lance Weatherby this would have never happened. Thank you for a great event.
I must also thank the BarCamp sponsors that make these possible.
- Angus McRae
- Appcelerator
- Microsoft
- Ryma
- ATDC
- GeorgiaTech Venture Lab
- TechLinks
BarCamp Atlanta 2 Links:
SugarCRM Tutorials and Modules
SugarCRM Consulting
Feedburner RSS
- Balance Progress between CRM UI and CRM Code Development
- Be A Confirmation Emailer
- Levels of Social CRM are as Vast as CRM Itself
- Jeff Jarvis and The Link Economy Opened My Eyes
- Tips to Start Screencating: The Time Commitment
- Tips To Start Screencasting: Software and Equipment
- Factors for Choosing a CRM
- Custom Logo: 99Designs or A Graphic Designer
- April Atlanta SugarCRM Meetup
- Open Source: Contribution Based Upgrades
Categories
JoshSweeney Twitter
- @eggsurplus Please put all recyclable ammo casings in your checked luggage and move to the security line sir. Thank you.
- @mparks What is the link for Azure bootcamp?
SugarCRMAtlanta Twitter
- Atlanta SugarCRM Meetup tomorrow. http://opensource.meetup.com/72/calendar/8936307/
- SugarCRM Telemarketr 0.61 Module Released - http://tinyurl.com/dlg3u5
Skribit
Blogroll
Videos
Technorati
