« Login to iX Connection »

Application Security's Growing Importance

Application Securtiy received little attention in the typical enterprise until relatively recently. With more internet-facing services being created, application security becomes more important with every passing day.

Improve your security by using secure technologies like Java & WebObjects

Java, WebObjects, Apache, and UNIX were designed with security in mind from the outset, not tacked on as an afterthought. Today's internet presents a challenging security environment, and nearly all platforms require patching at some point. The platforms we recommend, in addition to being scalable and robust, consider security as a first tier design requirement.

For example, the language at the heart of WebObjects (Java) is designed in such a way that programs written in WebObjects are nearly invulnerable to entire classes of security defects. "Buffer overflows" for example are almost unheard of in Java applications -- but this same class of defect leads to dozens of patches a year in software like the C++ based IIS.

Internet security professionals refer to IIS as the "Internet Insecurity Server", as a tongue-in-cheek reference to the casual security approach that contrasts markedly to the Java approach. Perhaps more important even than the solid Java technology foundation is that the vendors of the Java, WebObjects, Apache, and UNIX platforms take security seriously -- they treat security problems as defects to be corrected in the software, rather than as "3rd party opportunities". Refactoring your applications from IIS/ASP to Java and WebObjects can lead to improved security posture in addition to improved scalability and robustness of the application.

Why do security experts believe that IIS is less secure than other servers?

There are several reasons.

  • IIS must often run as a privileged process on a host

    Microsoft apologists like to point out that other servers require security patches, too. The fact is, however, that Unix-based web servers typically run as a non-privliged user, so that even if they are exploited by a cracker, the damage is limited to files that are already available on the internet anyway. In general, it's much harder to exploit security holes to get at hidden customer data like credit card numbers on a Unix/Apache system.

  • Microsoft considers security to be an opportunity for 3rd party products, not a responsibility of the vendor

    Fundemental flaws in security architecture are perceived by other vendors of server platforms to be problems that should be fixed. Unix vendors work with the opensource community to make sure that when defects are found, they are corrected in the operating systems and web servers. For years, Microsoft has claimed that basic architecture flaws in Windows and IIS are "features". Entire industries have arisen to provide band-aids to these problems, but as the Code Red and Nimda attacks have shown, more than a band-aid is needed.

  • Windows, IIS, and ASP architects choose ease-of-use over security

    Many of these problems arise from a proliferation of features in Windows and IIS. The recent set of problems revealed with the Microsoft Passport system is just one of many examples. In a rush to make sure that internet shopping cart the world over would get permanently wired into Microsoft, and that they would have personal contact and other information from your customers at their fingertips, Microsoft got egg on their face. Before Windows XP even shipped, the first security and privacy holes with its Passport system were detected by industry experts.

    Where do you want (your credit card number) to go today (TM)?

  • Windows, IIS, and the associated development tools ASP/VBScript/COM contain many hidden "features", mostly designed to interlock with the IE browser, which are routinely discovered and exploited by crackers

    When they wrote the code to make it possible for a web site to crawl down your browser and read/write any of your "Cookie" files if you run Internet Explorer, what were they thinking ? We don't know, but we do know that the tight integration between Windows/IIS/IE has led to dozens of such bizzare "features" which have been exploited.








iPhone front

illumineX can help you build iPhone applications for internal enterprise use, or for consumer use.