By Joshua Lucas


Issue # 16

Monday, July 6, 1998

TABLE OF CONTENTS


This week, two major security holes were found within Windows web servers. While this column is not intended to extol the virtues of one platform as compared with another, it will, however, offer the chance to take a look at security from a business perspective.

Both of the holes affect sites which utilize dynamic pages for various parts of the site. These holes allow a person to view the source of the script instead of the dynamically generated page--it works the same way as the 'View Source' command found in browsers. The security risk is that if your site uses a database as the backend and in your script, then you log into the database with a username/password and in so doing you've just exposed that info to the world.

For the majority of you, these holes will not affect you directly since you have another company hosting your web site. But as bandwidth and server costs go down, the management of your web server and web site will become much easier. Because of this, here are some suggestions for things to think about with regard to security.

The first and most important suggestion is to never leave a password at the base level of your site. In other words, never have a script that generates a page have the username/password within it. Always give yourself the security of a middle script which manages the connections to the database. This middle script would be the one which would have the necessary information within it. So far, the security holes only allowed the user to view the script which generated the page; they couldn't go any deeper.

Another suggestion is more of a basic security one than a web suggestion. Never go more than two months without changing your passwords. While this might be a little annoying at first, it will make your business more secure over the long run. As well as each two-month change, if an employee who had password information leaves, change them. Better to be safe than sorry.

Security is sometimes an afterthought. It's a subject which focuses on the negative side of people's behaviour. But the reality


"Lucas, Joshua Lucas"... writes for a living. By day he writes software, and by night he weaves words. Josh has coded in Java, C, C++, and Perl for some of the hippest and most recognizable companies in the US, including The Gap, Starbucks, Nike, and Nordstroms. Josh's rich experience, coupled with his diligent daily research, places him as close to the "cutting edge" as you can get without falling off. He and his wife recently moved from Los Angeles, CA to Boston, MA.

Find out what kind of security precautions the company who hosts your web site has. Make sure you feel comfortable with their security measures

Feel free to write me with questions.


is that security is the only thing which can make your business data safe and it is this data which can make or break your business. Hopefully these security hole discoveries will serve to wake people up before it is too late.






Back to the Top / Table of Contents
Text Copyright © 1998, Joshua Lucas. Part of the original Sideroad.
The new Sideroad is now receiving traffic at www.sideroad.com.