
	Home > Ask the Software Quality Experts > Application Security Questions & Answers > SSL protects data in transit, but not apps

Ask The Software Quality Expert: Questions & Answers

EMAIL THIS

SSL protects data in transit, but not apps

EXPERT RESPONSE FROM: Brad Arkin

		Pose a Question

		Other Software Quality Categories

		Meet all Software Quality Experts
		Become an Expert for this site

Software quality news and advice

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 27 April 2006
I've been reading that Web sites need more than SSL. What does SSL protect and what else -- if anything -- should be used with it?

EXPERT RESPONSE
SSL provides certificate-based authentication as well as protection against man-in-the-middle attacks. SSL does not provide any protection against attacks on the applications running on the Web server. Cross-site scripting, SQL injection and buffer overflows are all feasible attacks against a server that is SSL-enabled.

A properly configured user Web browser connected via SSL to a Web site allows the user to view the server certificate to verify the identity of the Web server. This provides protection for users against phishing or other attacks involving Web site impersonation.

"Man-in-the-middle" exploits occur when an attacker located somewhere between the user and the Web site is eavesdropping on or manipulating data in the connection. This might happen while a user is connected to a Web site via a public WiFi hotspot. Or, a well-placed attacker could initiate an attack while looking at home broadband or corporate LAN traffic. SSL provides protection against eavesdropping or undetected tampering of data in the connection between the user and the Web server.

Because SSL only allows users to verify the identity of the Web server and protect the data in transit, proper patch management and secure coding techniques must be applied to the Web server. Good patch management will help limit the risk of a publicly known vulnerability in the Web server being exploited by an attacker. Additionally, secure coding techniques such as strong input validation will help protect against server attacks such as cross-site scripting, SQL injection and buffer overflows. SSL is critical for protecting data in transit to the Web server, but other security measures are required to protect the end points of the connection against other types of attacks.

More information:
Why can't I just use SSL to protect my Web services?
When should I use WS-Security? What about SSL?

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Threat modeling
	Web application security and the PCI DSS
	The essentials of Web application threat modeling
	How to implement security in Java EE and Java ME
	Application security shouldn't involve duct tape, Band-Aids or bubble gum
	Stop SQL injection attacks on applications
	How to counter XSS attacks
	Breaking the same origin barrier of JavaScript
	Protection against "zero-minute" exploits
	Denial of service and Ajax
	CSRF attack vector with Ajax serialization

Application Security

Top tools for testing Web application security

How to prevent HTTP response splitting

PCI DSS compliance: WAF, code review or both?

Application security careers have bright future

How to prevent anti-DNS pinning attacks

Open source application security testing tools

Java application security features and measures

Web application security testing basics

Password recovery with .NET 2.O using C#

Free load and performance testing tools

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Software Quality - Software Maintenance, Software Requirements, Software Standards

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2006 - 2008, TechTarget \| Read our Privacy Policy