By Joshua Lucas
Issue # 16
Monday, July 6, 1998
TABLE OF CONTENTS
This week, two major security holes were found within Windows web
servers. While this column is not intended to extol the virtues of one platform
as compared with another, it will, however, offer the chance to take a look at security from a
Both of the holes affect sites which utilize dynamic pages for various
parts of the site. These holes allow a person to view the source of the
script instead of the dynamically generated page--it works the same way
as the 'View Source' command found in browsers. The security risk is
that if your site uses a database as the backend and in your script, then you
log into the database with a username/password and in so doing you've just exposed that info to the world.
For the majority of you, these holes will not affect you directly since
you have another company hosting your web site. But as bandwidth and
server costs go down, the management of your web server and web site
will become much easier. Because of this, here are some suggestions for
things to think about with regard to security.
The first and most important suggestion is to never leave a password
at the base level of your site. In other words, never have a script that generates a
page have the username/password within it. Always give yourself the security of a middle script
which manages the connections to the database. This middle
script would be the one which would have the necessary information within it. So far,
the security holes only allowed the user to view the script which
generated the page; they couldn't go any deeper.
Another suggestion is more of a basic security one than a web
suggestion. Never go more than two months without changing your
passwords. While this might be a little annoying at first, it will make
your business more secure over the long run. As well as each two-month change,
if an employee who had password information leaves, change them.
Better to be safe than sorry.
Security is sometimes an afterthought. It's a subject which focuses on
the negative side of people's behaviour. But the reality
"Lucas, Joshua Lucas"... writes for a living. By day he writes software, and by night he weaves words. Josh has coded in Java, C, C++, and Perl for some of the hippest and most recognizable companies in the US, including The Gap, Starbucks, Nike, and Nordstroms. Josh's rich experience, coupled with his diligent daily research, places him as close to the "cutting edge" as you can get without falling off. He and his wife recently moved from Los Angeles, CA to Boston, MA.
Text Copyright © 1998, Joshua Lucas.
Part of the original Sideroad.
Find out what kind of security precautions the company who
hosts your web site has. Make sure you feel comfortable with their security measures
Feel free to write me with questions.
is that security is the
only thing which can make your business data safe and it is this data
which can make or break your business. Hopefully these security hole discoveries
will serve to wake people up before it is too late.
Back to the Top / Table of Contents
The new Sideroad is now receiving traffic at www.sideroad.com.