Audit Guide for Web Based Applications.docx
- 文档编号:2892469
- 上传时间:2022-11-16
- 格式:DOCX
- 页数:37
- 大小:35.26KB
Audit Guide for Web Based Applications.docx
《Audit Guide for Web Based Applications.docx》由会员分享,可在线阅读,更多相关《Audit Guide for Web Based Applications.docx(37页珍藏版)》请在冰豆网上搜索。
AuditGuideforWebBasedApplications
WebServers
TheWorldWideWeb(WWW)providesamechanismtolinkpageswithcontenttootherrelatedpagesovertheexistingInternet.Currently,mostofthewebserversprovidereadaccesstoafilesystemofHTMLfiles(staticcontent)oradatabaseservingactivecontent.Activecontentusesinterpretedandbinarycodethatexecutesonthebrowser.CommercialWebservershavebecomeverylargecomplexcodebases.
JavaandJavaBeans
JavaisaprogramminglanguagedevelopedatSunMicrosystemstoprogramconsumerproducts.Firstlaunchedin1995,itwasin1996thatJavareallygainedstrength.JavaislooselybasedonC++.Itwasstrippeddowntoabareminimuminordertobecompatiblewiththelimitedspacethechipsinhandhelddeviceswouldoffer,andwasdesignedtoallowprogrammerstomoreeasilysupportdynamic,changeablehardware.
Javais80%compiledand20%interpretedlanguage.Itsportabilityisachievedbygeneratingbytecodethatisexecutedatruntime.Javaappletsarebytecodesthataredownloadedandexecutedwithinabrowser.MostbrowsersandserverssupportJavarutimeinterpretersandjust-in-timecompilers.
JavaBeansisSun'scomponentarchitectureandAPIsetforbuildingreusableJavacomponents.TheJavaBeanscomponentmodelprovidescomponentinterfacepublishinganddiscovery,eventhandling,persistence,layout,andapplication-buildersupport.UsingJavaBeans,developerswilldefineindependentcomponentsthatcanbereusedinavarietyofwaystocreatenewbrowser,andevennon-browser,applications.
ActiveXandActiveDesktop
ActiveXisMicrosoft'scomponentstrategyforbuildingWindowsapplicationsandbrowser-basedapplets.ActiveXisbasedonMicrosoft'sObjectLinkingandEmbedding(OLE)objectstandardandComponentObjectModel(COM).ActiveXenablessoftwarecomponentstointeractwithoneanotherinanetworkedenvironment,regardlessofthelanguageinwhichtheywerecreated.ActiveX
usesbinaryobjectcodeinsteadofJava'sbytecodethatisdownloadedintobrowsers.JavaBeansandActiveXarecompetingforthesamecomputingspace.
AnActivedesktoputilizesActiveXonthedesktop(browser)andserver(ActiveServer).Microsoft'sInternetExplorerbrowserincorporatesthistechnology.Thiswillallowthebrowsertopullandpushdatadependingontheapplications.TheActiveserverstoresauser'spersonalizedinformation.Whencertain
businesseventstranspire(e.g.,newmailmessages,documentupdates)thebrowserisnotifiedandselectstheproperfunction.
IntranetShortcomings
Sincemostcomputersecuritystatisticsshowthatover80%ofallcomputerrelatedfraudiscommittedbyinsiders,theIntranetthreatishigherthanfromtheInternet.AproperlyadministeredcommercialfirewallwithastringentsecuritypolicyandsomeancillaryproductswillcombatmostInternetthreats(e.g.,hacking,denial-of-service,virussoftware).Therealsecurityproblemwithmostcorporationsisinsidethefirewall.Insidersoftenhaveamotivetostrikeagainstacompany.Insidersoftenhavedirectphysicalaccesstothecomputerandfamiliarityoftheresourceaccesscontrols.Theprinciplethreatattheapplicationlevelistheabuse/misuseofauthorityby
authorisedpersonnel.ThenetworklevelthreatisduetothefactthattheinsiderhasphysicalaccesstotheLANthatprovideshim/herwiththeabilitytoviewsensitivedatatraversingthenetwork(e.g.,man-in-the-middleattack).Althoughinsiderscausemoredamagethanhackersdo,theexternalhackerproblemremainsseriousandwidespread.
CGIscriptswrittenininterpretedratherthancompiledlanguages,suchasPERLorshellscripts,areparticularlyvulnerabletohacking,becausetheycanbefedmisleadingstatements.BysubmittingunanticipatedinputdatatoaCGIscript,hackerscangettheservertomailthempasswordfiles,setupTelnetsessionstosecureresources,orgainaccesstousefulconfigurationinformation.
Intranetwebtechnologyisidealforgivingusersquick,easyaccesstointernaldocumentsanddata.Theopennessofthetechnologymeansthatspecialcaremustbetakentoensurethatthewrongpeopledon'tgetintounauthorisedinformationorapplications.Thewebtechnologydoesnotprovidetheadequatemechanismstocontrolaccesstocorporateinformation.Thisisduelargelytothestatelessnatureandlackofsecuritymechanismstoperformproperaccesscontroldelegation(i.e.,endtoendsecurity).Thewebserverisnotactingonbehalfoftheuser,butasasinglesuperusertoaccessback-endlegacysystems.
Client-servervs.Web
Traditionalclient-serverdevelopmentenvironmentscanrelyonpersistentconnectionsbetweenclientsandservers.WebcommunicationsusingHTTPareintermittent,meaningthattheyareconstantlybeingestablished,torndownandreestablishedasthe
browser
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Audit Guide for Web Based Applications