security Archives - Scott S Nelson

WebLogic Server, Apache Commons and You

November 11, 2015Scott S NelsonLeave a comment

Oracle released Security Alert CVE-2015-4852 last night, their official security response to a much-publicized vulnerability with certain usage of the Apache Commons library with the major J2EE application servers.

If you have access to the Oracle Support Network, the best reference is https://support.oracle.com/rs?type=doc&id=2076338.1.

For an Apache POV of the situation, I suggest https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread.

Infoworld has a calmer dissertation of the issue at http://www.infoworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html.

I personally heard about this first from /., where this is an informative thread (with the usual trolling between) at http://developers.slashdot.org/story/15/11/08/0346258/vulnerability-in-java-commons-library-leads-to-hundreds-of-insecure-applications.

Early Morning Security Ramblings

June 10, 2010Scott S NelsonLeave a comment

Posting it here for those that don’t belong to LinkedIn or subscribe to Answers there:

Q: Which Tastes Better for Security, Java or .NET?

Both this two languages are safe by security point of view with their own levels, but which one tastes better w.r.t your working experience?

A: As others have noted, the security of the individual applications written in these languages depends on the development approach used. The next level from their is the application servers, which really depends on the app server vendor for Java and again back to the developer and the server admin. And, of course, the servers sit inside an operating system, which adds another layer of vulnerability. This is point where the earlier poster who noted that Microsoft is more often the target comes in to play. Microsoft is more often targeted, which increases the likelihood of someone trying to break in. However, the biggest threat is admins and/or policies that prevent keeping up to date on patches. Then there is the architecture as a whole, where there are points in the network, structure of the firewalls and accessibility of data. There are still plenty of admin servers that have the default log in credentials set.

Then again, the vast majority of real digital break ins come from the hacker knowing passwords in advance, which is an issue that is platform independent 🙂

My Session Has Fallen and I Can’t Get Out

August 16, 2009Scott S NelsonLeave a comment

Ran across on question on LinkedIn today and thought the answer belonged here as well…

Q: (paraphrased for grammar) How to automatically redirect to the login page after a session time out?

A: Assuming that there is a security session that is separate from your server session, you can add a hidden AJAX component that checks every n seconds and redirects when the session is closed. When you do this, you need to include in your keep alive call an appended parameter that is incremented or changed randomly each time or else you may get a cached response from the browser and miss that magic time out moment.

If you need to know if the session of the same application on the same server has timed out, there is a chicken and egg paradox as any call to the server to check if the session is still alive will keep the session alive, so it will never time out. I’ve heard of applications that have worked around this, but have not had to research it out as the requirement always resolved to a security session timing out that lived on another server (as described in the first paragraph) or the that simply have the page go to the login page on the next click after the timeout was acceptable.

To go to the login page after the next click in a timed out session, simply fill in the security node of your web.xml completely and the web server will do the rest.