OReilly.RESTful.Web.Services.May.2007

wwb1942

多谢分享~~

Sky-Tiger

s_yjxu

thanks in advance!

Sky-Tiger

A WAF is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become common in many enterprises, especially those that must comply with the Payment Card Industry Data Security Standard (PCI DSS), which calls for either use of a WAF or frequent application code reviews.

“I’m usually the last one to recommend – if you have a problem – throwing a piece of technology at it or putting something in front of it and filtering it, because it’s a good idea to build secure applications right from the start,” Krikken said, “but you can’t do that with all applications.”

Sky-Tiger

Unfortunately, the developers that work so much power into such small devices may not be the best candidates for making sure that power stays in the right hands. According to Gardner's VP of security research, Ramon Krikken, enterprise application development could stand some improvement. He cites research from WhiteHat Security Inc. that implies it would take the banking industry (one of the most regulated and therefore best secured industries) over thirteen months to patch 90% of the flaws that exist in their applications.

Sky-Tiger

Despite the talent and hard work of today's Java developers, enterprise Web and mobile applications may not be as secure as they should be. More than ever before, Java developers are code ninjas and mobile application magicians. Java applications running on Android phones let us take care of our banking errands, wire money, send and receive emails,  make purchases, keep tabs on our investments, schedule appointments, and even help us keep fit. We can run them just about anywhere. These apps are powerful and easy to use. They connect us to the world in ways that were impossible not so long ago.

Sky-Tiger

A WAF is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become common in many enterprises, especially those that must comply with the Payment Card Industry Data Security Standard (PCI DSS), which calls for either use of a WAF or frequent application code reviews.

“I’m usually the last one to recommend – if you have a problem – throwing a piece of technology at it or putting something in front of it and filtering it, because it’s a good idea to build secure applications right from the start,” Krikken said, “but you can’t do that with all applications.”

“I have an increasing number of customers starting to question whether putting a Web application firewall in front of an application to fix something is all that much worse than fixing the code.”

Sky-Tiger

banking errands, wire money, send and receive emails,  make purchases, keep tabs on our investments, schedule appointments, and even help us keep fit. We can run them just about anywhere. These apps are powerful and easy to use. They connect us to the world in ways that were impossible not so long ago.

Unfortunately, the developers that work so much power into such small devices may not be the best candidates for making sure that power stays in the right hands. According to Gardner's VP of security research, Ramon Krikken, enterprise application development could stand some improvement. He cites research from WhiteHat Security Inc. that implies it would take the banking industry (one of the most regulated and therefore best secured industries) over thirteen months to patch 90% of the flaws that exist in their applications.

Sky-Tiger

I've just read The Tangled Web A Guide to Securing Modern Applications each chapter describes how web apps are hopelessly insecurable in the browser. Before that, I read The Basics of Hacking and Penetration Testing which shows that hackers have won the arms race over server security. What I've learned is I could spend more time securing an app than writing it and it would still be vulnerable and that I need a security specialist. I've started reading Apache Security and I'd like Apache httpd to be a web app firewall but that takes specialist knowledge too, default Apache settings are far from secure.

yxfusa

thx!!