|
| |
simplicable technology guide
»
security
»
web security: battleships and locusts
Web Security: Battleships and Locusts
posted by Anna Mar, March 06, 2013
Websites take inputs from a variety of sources and generate web pages, formatted data, transactions and errors.
BattleshipsThreats always arrive in input.
Websites take streaming input from a variety of sources: web browsers, databases, services, processes, commands etc... Threats occur when someone tries to hide a battleship in one of those streams.
A battleship is input designed to compromise web security. Often a single input can bring a web site down, compromise data or deface the site.
The key to defending a site against battleships is detection — if the battleship can be detected the input can be thrown out.
LocustsSometimes threats contain no malicious data whatsoever. For example, consider a distributed denial of service attack (DDoS) — perfectly valid requests may be used.
A locust is input that on its own would be harmless — but arrives in such quantity that it compromises web security. Often locusts are designed to interfere with availability — crashing sites or making them too slow to use.
It is more difficult to defend a site against locusts — if they arrive in sufficient numbers even secure websites are vulnerable.
Secure Website DevelopmentSecure website development is a cyclical process of security design, coding, code reviews and testing.
|
Do you have what it takes to be a good Enterprise Architect?
|
|
Learn about the 10 most dangerous Enterprise Architecture pitfalls.
|
|
Why Enterprise Taxonomies are more exciting than they sound.
|
|
Why risks and even vulnerabilities aren't necessarily bad.
|
Recently on Simplicable
| |
posted by Anna Mar
A look at least privilege and need to know.
|
| |
posted by Anna Mar
It is easy enough to confuse authentication and authorization.
|
| |
posted by Anna Mar
Security threats and security risk management.
|
| |
posted by John Spacey
Exploitable flaws and weaknesses.
|
|
