ARTICLE >> Information security is commonly described through the adage “as strong as the weakest link”—and too often the weakest link is in systems configurations. Regardless of all the time and money poured into anti-malware, intrusion prevention, content filtering, and all the other measures we deploy, if configuration is not controlled, our networks and systems will be vulnerable.

Configuration management is one of the areas of information security that often falls on systems managers and network administrators. Many of the security-oriented tasks are also applicable to good systems management practices; this fact just adds weight to the notion that good systems management is good security. Much has been written about effective configuration management practices and comprehensive best practices are readily available. Rather than delve into the details of these broad frameworks, this article will focus on several basic functions and areas that are critical to leveraging the benefits of configuration management to improve security.

Continue reading Configuration Management and Security...

ARTICLE >> Web services are an established method for building distributed and federated applications. Using Web services protocols, developers can provide access to application functions by publishing the interface to the service using the Web Services Definition Language (WSDL), providing data in XML structures, and transmitting data between applications using the Simple Object Access Protocol (SOAP). Service consumers can discover Web services that have been registered using the Universal description, discovery, and integration (UDDI) protocol. As with any application, questions of authentication, authorization, and trust must be addressed in the Web services architecture.

Continue reading Web Services Security...

ARTICLE >> Testing is an important part of any software development methodology, but testing security features is essential for Web applications. Those who come from a software development background are familiar with functional testing: start with required functions, formulate test plans, and define test cases for each feature. Ideally, these steps are automated in a regression test that is run routinely to make sure you do not lose ground as you correct errors. Just as important, and more important if you have to answer to auditors, is testing a key non-functional requirement—security.

Continue reading Web Application Testing...

ARTICLE >> Vulnerability scanners have come a long way. When tools like SATAN first came out, there was a lot of discussion about the wisdom of having vulnerability scanners. After all, these were tools for hackers to employ to attempt an attack on your network and servers. Proponents of the tools argued that it was better to learn about your vulnerabilities with a tool rather than through an attack. The debate about the relative value of vulnerability scanners is essentially over—they are useful tools for network and systems administrators in spite of the fact that they could be used for malicious purposes.

Continue reading Vulnerability Scanning 101...