Tuesday, November 22, 2011

The Future of Web Services

In the late 1990s and 2000s the Internet evolved from a static content web pages into dynamically generated websites with a database back-end. The era gave birth to technologies such as ASP and PHP which dominate more than 52 percent of the market (BuiltWith Trends, 2011). Today, as the grid computing, distributed computing and cloud computing are rapidly becoming defacto choice for data storage and access (Divakarla, U, & Kumari, G 2010), web application need to evolve and adopt the emerging data access technologies. In addition, many businesses rely on Business to Business (B2B) information which is exposed through web services technologies to provide an additional layer of security (access authentication and authorization) as opposed to exposing a direct connection to the back-end database.
Information such as geographical location (MaxMind, Inc. 2011), credit rating (Experian Information Solutions, Inc. 2011), employment and income verification (Equifax, Inc. 2011), address lookup and readdressing information (Canada Post, 2011) is available to merchants and service provides through standard (SOAP and RESTful) web services. As such, instead of maintaining its own database of geoip information or postal codes, a web application can simply invoke an exposed web services to get access to the up-to-date data maintained by an “expert” service provider. Moreover, “Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data” (Amazon Web Services LLC, 2011) which allows web software developers to create a database driven application without having a traditional database back-end relying completely on standard web services protocols such as SOAP and REST.
The main obstacle in adoption of a distributed information storage such as Amazon Web Services is the security aspect of it. While vendors state that the storage “is secure by default” (Amazon Web Services LLC, 2011), there are certain aspects of security such as physical security which are can not be controlled by the data originator. As such, merchants and service providers wishing to utilize a “cloud” storage option need to evaluate and implement compensating control such as adoption of HTTPS protocol to transfer the data and encrypt the data before it is stored in the “cloud”. Ideal, on organization wishing to join the "cloud" should assess the risks by conducting a Threat Risk Assessment (TRA) and to make sure there are security controls in place to mitigate the identified risks.



Tuesday, November 8, 2011

Internal vs. External Risk

Recently, I had a very interesting conversation with a CISO about the need (or the lack) of a security assessment for an application which was “up and running for quit some time” on the Intranet. The business driver behind the initiative was to expose the same application, which (of course) relies on authentication, to business partners and clients to access marketing (statistics, geographical and demographical distribution of users, etc.) over the Internet.
It is quite obvious that external exposure has inherently higher risk than the same resource (document, application, database, etc.) exposed to the internal environment. But have you tried to quantify the risk?
According to U.S. Census Bureau (2007), there are 120,604,265 employees in 29,413,039 establishments in US which means that the average company size in Us is 4.1 employees (internal exposure). Whereas the total world population (external exposure) is estimated as 6,973,530,974 total population (U.S. Census Bureau, 2011). Using simple formula
6973530974 ÷ (120604265 ÷ 29413039)
we can calculate that the external exposure is 1,700,708,830 higher.
Naturally, it does not translate directly into risk as the average US company with 4.1 employees does not have Intellectual Property and not every human on earth have the means (technical equipment, skills, time, motivation, etc.) to identify and exploit security vulnerability. Regardless, even if the number is reduced by million (1,000,000), we are still talking about 1,700 more exposurerisk.
This numbers are quit impressive...


Saturday, November 5, 2011

Data Warehousing

The concept of data warehousing was introduced in 80s as a non volatile repository of historical data mainly used for organizational decision making. (Reddy, G, Srinivasu, R, Rao, M, & Rikkula, S 2010). While the data warehouse consist of information gathered from diverse sources, it maintains its own database, separated from operational databases, as it is structured for analytical processes rather than transactional processes (Chang-Tseh, H, & Binshan, L 2002).
Traditionally, data warehouses were used by medium and large organizations to “perform analysis on their data in order to more effectively understand their businesses” (Minsoo, L, Yoon-kyung, L, Hyejung, Y, Soo-kyung, S, & Sujeong, C 2007) which was designed as a centralized database used to store, retrieve and analyze information. Those systems were expensive, difficult to build and maintain, and in many cases made internal business processes more complicated.
With the wide adoption of Web (the Internet) as a successful distributed environment, data warehouses architecture evolved to a distributed collection of data marts and a metadata servers which describe the data stored in each individual repository (Chang-Tseh, H, & Binshan, L 2002). Moreover, the usage of web browsers made deployment and access the data warehouses less complicated and more affordable for businesses.
As a further matter, according to Pérez, J at. al. (2008) the Web is “the largest body of information accessible to any individual in the history of humanity where most data is unstructured, consisting of text (essentially HTML) and images” (Pérez, J, Berlanga, R, Aramburu, M, & Pedersen, T 2008). With the standardization of XML as a flexible semistructured data format to exchange data on the Internet (i.e. XHTML, SVG, etc), it became possible to “extract from source systems, clean (e.g. to detect and correct errors), transform (e.g. put into subject groups or summarized) and store” (Reddy, G, Srinivasu, R, Rao, M, & Rikkula, S 2010) the data in the data warehouse.
On the other hand, it is important to consider the “deep web” which accounts for close to 80% of the web (Chang-Tseh, H, & Binshan, L 2002), the data access, retrieval, cleaning and transformation could present further obstacles to overcome. In addition, as the information stored in the data warehouses becomes more accessible through Internet browsers (as compare to corporate fat-clients), so does the risk of data theft (through malicious attacks) and leakage. Chang-Tseh at. al. (2002) further notes that the security of the warehouse is dependent primary on the quality and the enforcement of the organizational security policy.


  • Chang-Tseh, H, & Binshan, L 2002, 'WEB-BASED DATA WAREHOUSING: CURRENT STATUS AND PERSPECTIVE', Journal Of Computer Information Systems, 43, 2, p. 1, Business Source Premier, EBSCOhost, viewed 5 November 2011.
  • H.M. Deitel, P.J, Deitel and A.B. Goldber, 2004. “Internet & World Wide Web How to Program”. 3Rd Edition. Pearson Education Inc. Upper Saddle River, New Jersey.
  • Minsoo, L, Yoon-kyung, L, Hyejung, Y, Soo-kyung, S, & Sujeong, C 2007, 'Issues and Architecture for Supporting Data Warehouse Queries in Web Portals', International Journal Of Computer Science & Engineering, 1, 2, pp. 133-138, Computers & Applied Sciences Complete, EBSCOhost, viewed 5 November 2011.
  • Pérez, J, Berlanga, R, Aramburu, M, & Pedersen, T 2008, 'Integrating Data Warehouses with Web Data: A Survey', IEEE Transactions On Knowledge & Data Engineering, 20, 7, pp. 940-955, Business Source Premier, EBSCOhost, viewed 5 November 2011.
  • Reddy, G, Srinivasu, R, Rao, M, & Rikkula, S 2010, 'DATA WAREHOUSING, DATA MINING, OLAP AND OLTP TECHNOLOGIES ARE ESSENTIAL ELEMENTS TO SUPPORT DECISION-MAKING PROCESS IN INDUSTRIES', International Journal On Computer Science & Engineering, 2, 9, pp. 2865-2873, Academic Search Complete, EBSCOhost, viewed 5 November 2011.

Friday, November 4, 2011

PHP in Secure Environments

While PHP is by far the most popular framework for web development, according to BuildWith Trends (2011) its popularity is actually on a decline – the graph posted on the PHP.net website is from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails, Adobe Flex and Microsoft Silverlight are gaining larger market share (BuildWith Trends, 2011). On the other hand, the PHP framework is being actively developed and supported therefore its popularity does not play a major role when discussing security of the environment.
When discussion secure e-commerce environment, in many cases the choice of the development language itself is not the major influencing factor in the overall security stance. In many cases, the hackers are targeting misconfigured or outdated services rather than trying to exploit vulnerability such as buffer overflow in the language interpreter (Verizon RISK Team, 2011). Moreover, Open Web Application Security Project (OWASP) Top 10 web application security risks highlight the fact that majority of exploitable vulnerabilities are related to the web server such as misconfiguration and insufficient transport layer protection, and the security awareness of the software developers such as injection, cross site scripting and insecure direct object reference (OWASP, 2010).
Security awareness of software developers is considered by many security experts as the main factor impacting the risk exposure of a web application (Dafydd Stuttard and Marcus Pinto, 2011). Lets consider SQL injection as an example; while the SQL injection vulnerability was first documented in 1998 (rain.forest.puppy, 1998) and ranked as a number one security risk by the Open Web Application Security Project (OWASP, 2010), the code such as (potentially vulnerable to SQL injection):
Select * from products where productCode=' " . $prodcode . " ' "
still appears in the university lecture notes (Laureate Online Education, 2007).
Organizations such as PHP Groups and PHP Security Consortium provide guides on security of PHP deployment and secure code development using PHP. In addtion, the guide (PHP Security Consortium, 2005) covers topics such as input validation, database and SQL injections, session management and issues related to shared hosts.