Home > Ask the Software Quality Experts > Application Security Questions & Answers > How to protect your Web site against buffer overruns
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

How to protect your Web site against buffer overruns

Jeremiah Grossman EXPERT RESPONSE FROM: Jeremiah Grossman

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 28 April 2006
I'm looking for advice on buffer overruns. What can I do to protect against these attacks?

>

The first thing to understand is that custom Web application buffer overflow exploits are extremely rare. Still, a little extra paranoia doesn't hurt, since much of the advice given has excellent additional security benefits. Let's take a look at a few things we can do to protect Web sites from buffer overflows by hardening the operating system, Web server, and Web application.

  • Patch early, patch often, and harden the operating system. It doesn't matter if you're running Windows, Linux, or OS X. A secure Web site must be built on a solid foundation. An excellent resource for guidance is the Center for Internet Security.
  • Web server security add-ons. If you're running Microsoft IIS 5.0, install URL Scan 2.5. URL Scan has several useful features that restrict the types of requests IIS will process. IIS 6.0, by default, includes the important features that are included in URL Scan. If you're locking down Apache, ModSecurity is a must-have. ModSecurity is an open-source intrusion detection and prevention engine for Web applications.
  • Never trust client-side data. Ensure that strong character set, format, minimum and maximum length checks are in place for data, data query strings, cookies, and post data. Thorough input validation is key to a secure Web site.
  • When developing for Windows, reduce your application's reliance on unmanaged code.

More information
Featured Topic: Prevent buffer overflow
Buffer overflow attacks: How do they work?


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Building security into the SDLC (Software development life cycle)
Problems caused by skipping analysis stage of SDLC
Inexpensive phase of SDLC to catch and fix bugs
GatherSpace beefs up cloud-based requirements management
ALM: Best of breed vs. complete systems
Software development life cycle phases, iterations, explained step by step
The role of quality assurance (QA) pros in software security
Common software security risks and oversights
Why the quality assurance department should be involved in testing
How to develop secure applications
Secure software development practices 'not rocket science'

Threat modeling
Web application security and the PCI DSS
The essentials of Web application threat modeling
How to implement security in Java EE and Java ME
Application security shouldn't involve duct tape, Band-Aids or bubble gum
Stop SQL injection attacks on applications
How to counter XSS attacks
Breaking the same origin barrier of JavaScript
Protection against "zero-minute" exploits
Denial of service and Ajax
CSRF attack vector with Ajax serialization

Software security testing and techniques
Web server weaknesses you don't want to overlook
Using firewalls for software testing: Pros and cons
Beating software's cross-site scripting, authentication problems
Free Web proxy security tools software testers should get to know
How to get management on board with Web 2.0 security issues
Web application security best practices: Tips on implementation
Testing strategies for complex environments
How to make your software tamperproof
Ways to approach application performance testing on a tight budget
How can I tell if my software security has been breached?

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Software Quality - Software Maintenance, Software Requirements, Software Standards
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts