Some people in have an innate fear of closed source. The argument go this way is closed software is bad, because the vendor might have put some backdoors in there. Mmmm. Are you sure open source software do not have backdoors? I’m not. I install Linux on my servers without recompilation of source code files. I use the version compiled by Linux vendor. I don’t know what in there. The source code and compiled version may be different. Any way you can debug closed code and be sure that there are no any backdoors.
Most of users do not look at source code. Most of software developers do not analyze open source files. I don’t have a time to look in other code to see what is wrong. I trust to Microsoft! I trust to Adobe. I trust to other big companies. They don’t have a reason to include the backdoors in their programs. Hackers will know about it. Professional hacker could find backdoor without debugging. To do it you need a sniffer and firewall to find abnormal connections from your computer to any other servers in the Internet.
Excellent post about the problem was published by Joanna Rutkowska: Closed Source Conspiracy.
Wednesday, February 18, 2009
Wednesday, February 4, 2009
Comprehensive information about SQL Injection
SQL Injection is the most commonly used database attack in the Internet. The best place to get know about the problem is a SQL Injection and PHP. It is my old article written about 4 years ago and published on the blog about a year ago. The story tells us about inserting SQL command into a SQL query. Many websites are exposed to SQL injection attacks but their administrators and owners don't know it. Almost every day I hear about new vulnerabilities. The article describes basic information about the SQL Injection.
I have been working as WEB developer and security tester for a long time. I have seen a lot of WEB sites that have SQL Injection errors. The vulnerability is known for a long time. The most horrible thing is WEB developers still make errors in their scripts. The source of errors is the human factor and lack of knowledge.
To avoid the human factor I use automatic checking software. The software test can't give us 100% guaranty. No one can do it. A good automatic test allows you to save your time. Check you scripts before uploading on a test system with the automatic test. Use the manual test for changed files as additional inspection.
A real example of the SQL Injection vulnerability may be found in the Critical SQL Injection article. The vulnerability on the berkeley server was quite critical. The attacker could discover usernames of the server (view the /etc/passwd system file) and open any file in system directories. The article shows us how to use LOAD_FILE function to load the file's content to WEB page using SQL Injection error. The article shows us an example of manual test for the SQL Injection error.
I have been working as WEB developer and security tester for a long time. I have seen a lot of WEB sites that have SQL Injection errors. The vulnerability is known for a long time. The most horrible thing is WEB developers still make errors in their scripts. The source of errors is the human factor and lack of knowledge.
To avoid the human factor I use automatic checking software. The software test can't give us 100% guaranty. No one can do it. A good automatic test allows you to save your time. Check you scripts before uploading on a test system with the automatic test. Use the manual test for changed files as additional inspection.
A real example of the SQL Injection vulnerability may be found in the Critical SQL Injection article. The vulnerability on the berkeley server was quite critical. The attacker could discover usernames of the server (view the /etc/passwd system file) and open any file in system directories. The article shows us how to use LOAD_FILE function to load the file's content to WEB page using SQL Injection error. The article shows us an example of manual test for the SQL Injection error.
Monday, February 2, 2009
ProfWebDev.com: WEB consulting company
I have been working as WEB consultant for a long time. The WEB consulting includes the WEB development and WEB security analytic. People contact me quite often. They want my help with the WEB development or security testing their websites. I decided to make my own WEB site to help my clients to know about the services I could provide: WEB Development and security testing. The address of the new WEB site is: www.profwebdev.com.
The main services I could provide to my clients are:
My services are useful for small companies, small businesses and startup projects. The Internet services are very expensive. Small businesses can't afford to have their own high quality professional. I share my experience with my clients to bring their business to a new level.
Small companies don't have to have their own security specialist or WEB promoter who provide these services at full time. Using WEB consulting allows anyone to reduce the Internet presence expenses.
The main services I could provide to my clients are:
- WEB development - I can develop a new WEB site or enhance an existing WEB site.
- WEB optimization - I can optimize your WEB presence to bring you new customers. The service includes search engine optimization.
- Security testing - I can test your WEB site for vulnerabilities.
My services are useful for small companies, small businesses and startup projects. The Internet services are very expensive. Small businesses can't afford to have their own high quality professional. I share my experience with my clients to bring their business to a new level.
Small companies don't have to have their own security specialist or WEB promoter who provide these services at full time. Using WEB consulting allows anyone to reduce the Internet presence expenses.
Subscribe to:
Posts (Atom)