Designing a secure file sharing system
Peer to peer systems have gained tremendous popularity over the last few years, partly due to the unimaginable success of the Napster file sharing system. This phenomenon initiated a new era of computing, which included the development and deployment of many similarly designed systems, targeting different types of usage.
Read the Article
|
Using Microsoft Terminal Services and Windows Terminals
With distributed PC-based computing, much of the organization's resources are spent supporting end-user hardware and PC configuration issues. Using Terminal Services, the administrator will have the time and resources to focus on security. Terminal Services with Windows terminals is the most secure configuration but also has a range of technical, educational, cultural, political, and internal marketing challenges.
Read the Article
|
A Look at Automatic Protocol Generation & Security Protocols
This paper will attempt to describe automatic protocol generation, and security protocols. Automatic Protocol Generation, APG for short, is a mechanism to generate security protocols automatically. This is accomplished by having the designer or engineer input a set of security system requirements and properties that dynamically produces a security protocol that best meets the criteria. The system requirements for input are defined as a metric function, which defines the cost or overhead of the protocol primitives, which defines an ordering over protocols with respect to the metric function. Based on this ordering, APG investigates the protocol space and outputs the correct protocol, which has minimal cost with respect to the metric function. The protocol also satisfies the security properties and system requirements.
Read the Article
|
A Tour of TOCTTOUs
Time of check to time of use (TOCTTOU) vulnerabilities exist due to race conditions arising from an invalid assumption: That nothing affecting the validity of a security assertion changes between the time it is checked and the time an operation that depends on that assertion is performed. In fact, it is quite possible that the security of the environment changes with respect to the assertion during this interval. If these changes are cleverly timed and orchestrated, the operation may result in a security breach. This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.
Read the Article
|
Castles Built on Sand: Why Software is Insecure
We have all heard reports of vulnerabilities being discovered in various software. But what actually makes software more or less secure than the rest of its competitors? Theoretically, all software starts in the same place - with the very first sketch on somebody's napkin over dinner. It grows from there; the environment in which it is developed, who controls the project and most importantly who works on the project all contribute to the outcome. Unfortunately, the outcome is not always what the developers had in mind. Many software programs are plagued by programming flaws that may lead to security vulnerabilities. This article will offer a brief overview of some of the factors that may contribute to insecure software.
Read the Article
|
What is SOCKS?
An explanation of the SOCKS protocol (functions, features & benefits) and application proxy gateway systems.
Read the Article
|
AS/400 & iSeries: A Comprehensive Guide to Setting System Values to Common Best Practice Security
The purpose of this document is to assist anyone configuring or auditing iSeries (formerly known as AS/400) system values. This document should only serve as an informational guide and represents a security consultant's opinion on what the "Best Practice" setting should be in a typical corporate environment. Appropriate system value settings for the reader's environment may differ due to varying circumstances.
Read the Article
|
Application Security Checklist
This document contains procedures that enable qualified personnel to conduct an Application Security Readiness Review (SRR). The Application SRR assesses compliance, in part, with DISA's Recommended Standard Application Security Requirements (Version 2.0 dated 11 March 2003). In order to streamline the SRR process, this Checklist does not cover all of the requirements in that document.
Read the Article
|
Security Features Overview of Merlin (J2SE Version 1.4)
All the safeguards that we, as security professionals, employ are rendered useless if the foundation upon which they are laid is not sound. That is why JavaTM has become the language of choice for the security minded application developer. From its inception, security was one of the primary tenets of the JavaTM distributed computing platform.
Read the Article
|
Stopping Automated Attack Tools
This whitepaper examines techniques which are capable of defending an application against automated attack tools; providing advice on their particular strengths and weaknesses and proposing solutions capable of stopping the next generation of automated attack tools.
Read the Article
|
