Page 324 - StudyBook.pdf
P. 324
308 Chapter 5 • Communication Security: Web Based Services
such as buffer overflows, which might have been missed if the code had been made
available on the site. It is best to use a server dedicated to testing only.This server
should have the same applications and configurations as the actual Web server and
should not be connected to the production network.
NOTE
Any programs and scripts available on your site should be thoroughly
tested before they are made available for use on the Web. Determine
whether the script or program works properly by using it numerous
times. If you are using a database, enter and retrieve multiple records.
You should also consider having one or more members of your IT staff
try the script or program themselves, because this will allow you to ana-
lyze the effectiveness of the program with fresh eyes. They may enter
data in a different order or perform a task differently, causing
unwanted results.
Code Signing: Solution or More Problems?
As we mentioned earlier in this chapter, code signing addresses the need for users
to trust the code they download and then load into their computer’s memory.After
all, without knowing who provided the software, or whether it was altered after
being distributed, malicious code could be added to a component and used to
attack a user’s computer.
Digital certificates can be used to sign the code and to authenticate that the
code has not been tampered with, and that it is indeed the identical file distributed
by its creator.The digital certificate consists of a set of credentials for verifying
identity and integrity.The certificate is issued by a certification authority and con-
tains a name, serial number, expiration date, copy of the certificate holder’s public
key, and a digital signature belonging to the CA.The elements of the certificate are
used to guarantee that the file is valid.
NOTE
For more information about how digital certificates work, see Chapter
10, “Public Key Infrastructure.”
www.syngress.com
