Deciding on the most suitable domain and determining the best registration are the initial items to look at when planning a website. This is not normally a painless process. All things considered, the most dependable way to guarantee that all your requirements are met is to conduct some painstaking preliminary research. Reviews of domain hosting are definitely helpful but how will you know what exactly it is you’re really looking for? Of course, as with any other business decision, you should decide which points are significant to your business. Employing the same company to host your website and register your domain name is a popular solution. Do remember that even after your website has been launched, extras like customer service may well become extremely critical.
Any feedback found on the hosting provider’s website won’t be enough to go on. It is crucial to obtain an objective appraisal before you make a choice. Find the time to research into different domain hosting review sites and give some thought to the customers’ feedback. What seem to be the most prevalent issues, if there are any? What do current customers believe the company’s best points are? Is the overall feedback good or bad? With any company, you’ll read both bad and good feedback. It is wise to gain access to all the customer feedback with objectivity and weigh them all. Without a shadow of a doubt, pricing is a critical factor, but it’s crucial to get the greatest value for money. To follow are a few questions to think about when researching which provider to settle on.
Does the company have round the clock support with a free telephone line, can you find if they come back speedily to any complaints or questions? Are there any limits on bandwidth? Some providers offer limitless domain hosting and bandwidth as standard, and sometimes you may be entitled to other rewards like software packages and even vouchers for Google Adwords. How is the payment scheme designed? Can each payment be authorized individually or is there a less time consuming option, and are yearly payments accepted? What is the procedure when the server fails? Your replies to these questions may make or break your website. In the end this is entirely your choice, but before you settle for any company, be sure you have correctly determined all the alternatives. After all, studying pertinent domain hosting reviews gives you the chance of saving tons of time and money later.
Permalink
Comments Off
How to be an Concerned Traveler
To journey is to live said the Danish writer H.C. Andersen some two hundred years ago but the expression is proper even nowadays. Real life travel is, naturally, the best but reading travel books or blogs can bring inspiration and a free trip in your imagery, so if that is the only chance you’ve got, go for it!
To be best prepared for your trip will give you a greater opportunity of getting special experiences and to find a great and not too pricey hotel. By learning about the site you want to travel to, you will also be fit to find special spots of interest and remote draws.
Trip books is a great way to check about different sites and you’ll find excellent travel books at bogudsalg where the volumes are sold at good terms and the assortment of various goals is better than most other book shops both on-line and offline. Records aren’t free but if you want unpaid info you can find tons of blogs on traveling on the internet, all free and lots with rich data on most goals round the world.
If you like to write around your journeys, you can set out a blog where you describe your trips, it’s rather easy really, what you want is a web host, some blogging software package and the time to publish your articles. Many traveling blogs are penned on the go, so that all data is recent and up to date.
Depending on how you go, you?ll need accommodation, be it a motel, a hotel or perhaps a moving home and using the cyberspace it is smooth to reserve a hotel in advance and frequently at smaller terms than if you just sign in at the hotel.
Permalink
Comments Off
The initial step in building a website is picking out the most suitable domain and picking the best suited registration for your specific niche. Yet, this is not an uncomplicated process. When you are wrestling to determine the most appropriate provider you’ll most likely find that researching the company with the help of domain hosting reviews may prove to be a necessary step.
When you read domain hosting reviews, how can you determine what precisely is helpful info and what isn’t? Don’t make any decisions until you have decided which features are crucial to your business model. One option is to host your website with the same provider that you register your domain with. Keep in mind that after your website has been rolled out, features such as customer support are likely to become very significant. Any customer review found on the provider’s website is not wise sensible to go on. In order to determine the best suited Web registration for you, you must find an impartial assessment. You should make the time to look at as much client feedback as possible taking into account what all the clients have to offer. Do you find any issues over and again? What are the provider’s weak points? Do positive reviews outweigh the negative reviews? Of course, you should expect to read good and bad comments. Keep an open mind and go through any info you can. Without a doubt, the importance of pricing can’t be forgotten, but it’s absolutely crucial to get the best bang for your buck. To help you in making a choice we’ve listed various bullets you might want to cover.
During which times of day does the company you are researching provide customer support? Is there a toll-free phone number, and do the reviews reflect that they answer speedily? Exactly how much bandwidth would your rating plan be good for? Some businesses extend unlimited domain hosting and bandwidth as part of a package, along with all kinds of other rewards.
How is the payment plan set up? Will it be set up automatically, or could you pay each year? What sort of support is offered in the case of a server going off-line? The answers to questions like these are absolutely critical for your company.
Only you can select the best hosting for the needs of your company, all the same, before you settle for any company, make sure you have a full grasp of all your options. Remember: perusing those pertinent domain hosting reviews offers you the opportunity of saving time and money at some later point.
Permalink
Comments Off
Everybody is familiar with browsing the net with search engines in 2009, since they allow us to find websites so speedily. This is essential, nonetheless search engine results aren’t calculated by actual people, instead it’s done by an algorithmic rule. Why is that remarkable? Well, imagine you’re searching for a pub in Leeds as an example. One would type this keyphrase into Bing (for example), then a list of search results would appear. How can one know if these results are reliable if they haven’t been been filtered by a human editor? Here’s the answer: search engines employ human-edited website directories as a basic filter.
Directories still play a part on the web, and the most discriminating directories are inevitably edited by people. A human may realise that (for instance) : “that restaurant has been awarded a michelin star, that’s a really encouraging signal”. A good online directory will receive a number of submissions everyday. An administrator will investigate these entries, and if the official is content that the quality of the entry is of a set standard, it is added to the online directory. This is why Google still loves internet directories. Both the Yahoo! directory and dmoz.org are looked up by search engines as filters to observe the veracity of a website – whether it’s included in dmoz.org / Yahoo! directory or not, as they’re edited by people and have stern rules-for-entry.
So do not understate the significance of website directories just because almost everyone uses search engines to discover things. A directory with stern guidelines can act as a great yardstick as to how trusted a website is. If you are a website owner, seek to get your site included in a niche directory, like a construction directory, a self-catering directory, or a beauty directory.
While humanity is requiring signs of trust, the web will invariably rely on individuals to present their stamp of approval, and thus directories will always play a part.
Permalink
Comments Off
We must admit, that we have been extremely wonder-struck by the Zippy.com.au website and couldn’t wait to see what we’d find in their insurance quotes segment.��Our favorite highlights on this web site was their simmpleness. It’s not very tough to obtain 5 quotes rates here, as this internet site permits you to fill out an form and allows you to compare a assortment of quotes from aggregate providers.
Our reviewing squad appreciated the easy to navigate site that didn’t take ages to load, a huge plus.
Zippy.com.au is opperated by:
Zippy.com.au Pty Ltd�ABN: 281 3833 9429��www.zippy.com.au�phone: 07 31030183fax: 07 3036 6860��Suite 163, �192 Ann St. Brisbane Queensland 4000�Australia
Zippy minted the motto, Fast, Easy, Zippy’ and they deliver! After finishing a quotation form, the phone sounded within 5 minutes and found oursleves talking with Budget Insurance who managed to beat our existing car insurance premium.
We really liked the way Zippy.com.au holds elements simple while sustaining a professional and revealing automobile insurance quotes site.
As well as Car insurance you can utilize Zippy to check House, Life and Business Insurance but in our opinion Auto insurance looks to be their focus.
Although survising all Australia the site focuses on Brisbane, NSW, Melbourne, Hobart and Perth
The main page of the internet site is unusual but is prepared asymptomaticly. The index page consists of a essential image and paragraph and underneath are two sections.
On the right of the page are fast links to some great little tools. The tool include few estimators, the most satisfactory of these figures a car value.
Colouration for the internet site are dark blue, money green on a classic white backdrop coherent with the Zippy logo.
Zippy.com.aus logo is fashionable, elementary and fashionable I thought the colours described the type of company well and looked pro. The layout of the pages is neatly organized and pages are consistent with the 2 newspaper column design with the main details up on the top.
The Zippy.com.au website effectivly meets customer necessitates and provides a great range of insurance companies to choose from in Australia. With the same technology, it is in all likelihood that Zippy can stretch their services to include different counties.
Zippy is well worth bookmarking.
Permalink
Comments Off
The Elgordo Loteria is part of the Euromillions Euro lotto, but if that’s all you happen to know here’s some further information. With payouts up to more than two and a half billion Euros, the Elgordo Lottery offers one of the richest jackpots worldwide. But this is not where it ends. There’s lots more you really should know about. In this lottery the odds of winning something are a stunning one in six, with more than 13,000 different amounts. Astonishing odds when compared with the majority of other lotteries.
In the Euromillions Euro lotto, one draw is made every month. Three months each year play host to special drawings featuring still more substantive prizes. Richest of all the lotteries is “fat cat” “El Gordo” which is held around Christmas, while the other two special draws take place in January – “El Nio” – and summer (“San Ildefonso”).
Unlike typical lottery draw systems, the El Gordo Lottery employs balls sporting five digits apiece ranging from 00,000 to 84,999. One ball apiece is drawn from two bowls; the first draw indicates the winning ticket, while the second determines what the ticket is worth.
Thinking of entering this drawing? There are two choices; first, you can purchase a full ticket, called a “serie”. Or, you can choose a cheaper option known as a “d©cimo”, valued at one tenth of a full ticket. Unfortunately, both these choices are costly ways to play and neither increases your prospects of a win in any case. Because of this the Euromillions Euro Lottery has put an e-lottery system into place.
With this system, you’re sure to win a prize. Just buy into the El Gordo Lottery syndicate and you’ll be divided into teams. These teams are assigned an identifying number from 1-9, the last digit of the winning number in the draw being used to identify the team which wins the prize. This money is distributed among the members. In time for next month’s lottery, the syndicate offers subscriptions once again and the e-lottery continues.
The concept of sharing the pots is cause for concern to some players. The thing is, there’s still a lot of money to share out when the original prize was over two and a half billion Euros. There’s no need to worry with this system as you’ll win your share in a prize every month, and a place in the syndicate is the more cost-effective approach to playing. The e-lottery syndicate is the truly smart way to go…
Please go to our awesome website for (e-lottery syndicate system) ideas.
Permalink
Comments Off
Hosting plays a huge role in the success of a web development project. This is precisely why one has to make informed decisions when it comes to the choice of server. You need to analyze the benefits of every option as well as their drawbacks.
Dedicated servers can be a bit more expensive and this is probably one of the most important drawbacks that they have. After all, it’s impractical to spend hundreds of dollars for hosting solutions unless it’s really necessary.
Technically, dedicated servers do not have direct benefits as far as SEO is concerned. Search engine spiders do not really care nor do they bother to find out whether or not your website is on a dedicated server. However, there are a few indirect SEO advantages to using a dedicated server. For starters, there’s no need to worry about your website being in a ‘bad neighborhood.’ The thing with shared hosting is that thousands of websites are hosted on the same IP or server and you can’t really control the quality of the other websites that you’re sharing the space with.
For those who are particular with white hat SEO, reputation is important. A lot of webmasters are constantly on the lookout for the fastest way to attract clients. Because of this, it’s safe to assume that, of the thousands that are hosted in a server, a number of them would be ‘problematic.’ Even when you’re always following all the rules, you are still bound to pay for belonging to the wrong community.
And then there is the issue of page load speed. With shared hosting, this is usually compromised. Search engines are now particular with page load rates because they want to offer the best websites to their users. They want to improve user browsing experience.
All these are addressed by dedicated servers. With this system, you get full control and you are also assured of reliability and performance because you don’t have to share the server with other sites.
Permalink
Comments Off
The very first task when you’re building a Web site and robust Internet presence is choosing a relevant domain and employing the best registration for your particular market. Unfortunately, it’s generally wise not to take this kind of decision without some informed help. At the end of the day, the easiest way to guarantee that your requirements are met is to conduct some pain-staking research of domain hosting suppliers by reading reviews Web site. When you are studying domain hosting reviews, how to establish what exactly it is you’re actually looking for? Just like all sound business decisions, you must make up your mind what features are essential to you. A popular alternative is to host your Web site with the same provider that you register your domain with. Customer support is another important consideration that could affect you even a long time after your domain is registered. Any review found on the provider’s Web site won’t be wise sensible to base a decision on. To determine the most suitable Web registration for you, always get an unbiased opinion. Take the time to study several domain hosting review sites and give some thought to the customers’ comments. Do you come across some of the problems recurring more than once? What do current customers think regarding the company? Is the overall feedback positive or negative? As with any business, you’ll stumble upon both bad and good reviews. It’s a good idea to study all reviews with an open mind and take everything into consideration. Naturally, pricing has to be determining factor, but think about what extras are offered for the price. Here are a few questions to follow up on when researching which company to settle on.
During what times of day do the company offer client support? Is there a toll free number, can you discover any evidence that they come back rapidly to any issues or inquiries? What about bandwidth? Some providers extend unlimited domain hosting and bandwidth as standard, and sometimes you might be entitled to other perks like software and a variety of rebates.
What payment options are on offer? Can each payment be approved individually or do they offer a less time consuming option, or could you pay yearly? In the case of a server failure, what will they do? The responses to these questions could well be absolutely essential for any company.
In the long run, only you can determine the best hosting for your Web site, even so make sure you have correctly determined all your alternatives. Checking out applicable domain hosting reviews can be an essential way to save loads of time and effort.
Permalink
Comments Off
Let’s begin with the benefits of a tableless layout. These are only in the order that I feel they should go in, some things are more important to other people, so rank them as you will.
Forces You To Write Well-Formed Code
You cannot have a properly made tableless layout, and use improper and non-standard code. Well, let me correct that – you can (technically you can do it) but it defeats the whole purpose. When you are creating a tableless design, you should be using standards compliant code. I think that anything that makes you get into the habit of always writing clean code is a good thing.
Faster Loading Time
This is absolutely a benfit of a tableless layout, and for several reasons. First, on a fundamental level – tables load slowly. For the most part, unless you set the height and width of your table elements, all the text has to be loaded and rendered BEFORE the table sizes itself to the page. Of course, this is what so many people loved about tables isn’t it? The fact that they were so easily sizeable. The downside is how much more time they take to load.
Okay, so the solution to that loading time is to set all the values explicitly, right? So now we see another downside. Code clutter that increases loading time. First of all, just by themselves, tables take alot of code. How many td open and close tags does your average table based layout have? Tons. Having to set all the values explicitly only adds to the page size and loading time. There are many experiments that have been done on this topic, There was one that StopDesign did on a remake of the Microsoft website from a tablebased site to a tableless layout. That remake showed a 62% file size reduction of the site, and using their average hits per month for the Microsoft site, calculated that Microsoft would be saving 924 GIGS in bandwidth per day, and 329 Terabytes of bandwidth per year. For any company that pays for bandwidth, these things are important.
Easier to Read Code
If you are using standard code, semantic document conventions, and a tableless layout, your code can be so clean that it looks practically like just regular text with a few extra symbols.
That is a great benefit because it not only makes it easier for you to update, but it makes it easier for a non-technical user to make small alterations to. Additionally, if you work as a web developer in a more freelance capacity, it is common for there to be a full-time web developer who has to maintain that site. Clean and simple to read code makes that a easy transition. We like it when people leave us easy to understand code, right? Let’s return the favor.
Print Alternate Views
When you create a page using a table-layout, you are rather unfortunately locked into a certain layout. Developers who have created table-based websites, as most of us have at some point – particularly if you were in the the industry before the big tableless movement, know that you often have to create a separate printable version of your pages. This can be, needless to say, quite tiresome.
Ease of printing style control is a huge benefit with a tableless layout. You can easily create a single new printing style that applies to all your pages, instead of making them individually. That alone is a huge time saver, but there is more.
While you can control all elements with this approach, the biggest key is organization of information within the page itself. Using the example, let’s assume that the display order we want all our pages to print using the following order: The page header first, the content next, the special news after that, then the link list, and then the footer. However! We still want it to display as it would normally when viewing (meaning the header at the top, the links on the left, content in the middle, news on the right, and footer at the bottom). With a table-based layout, you would have to create a new page to do that special printing organization because the print style will read your columns left to right. With a table-less layout, you are not bound by this. You can order the content in your page however you like, and still control the way it looks… all by using the CSS only!
Additionally, because we can put the content in whatever order we want in the HTML, and then move the content blocks around for website viewing using CSS – we can have ultimate control over presentation.
That is very important because the clean code, and ability to alter presentation, means that your site can be viewable by someone on a small mobile phone screen, a PDA, in all text format can be perfect for someone using a text-to-speech reader, or a braille device, and since the code is clean, it is both backward compatible (with older browsers seeing mostly just the text) and forward compatible with new technologies to come. The flexibilty and organization leads to being able to create a powerful website that takes advantage of some of the possibilities with XHTML, and adding in support in your pages for microformats, or taking advantage of using RSS / ATOM feeds from your site to develop a base of regular readers.
Search Engine Optimization
Due to the fact that you can organize your most important content at the top of your page, without affecting the layout, your page can be better optimized for search engines. For instance, say that I have a navigation bar on the left side of the page that lists tons of parts of the site that are actually great keywords. I could move that navigation bar code higher up in my actual HTML, without changing the layout, because I’m using the CSS to position the navigation where I want it.
Those search engines can also more clearly find common words throughout your document without having to filter through code. Search engines prioritize websites that have a higher content to code ratio, so putting all your style elements into your external CSS stylesheet makes your site highly content based to a search engine. Tableless layouts, as previously mentioned, decrease page size and loading time – another bonus to search engines.
Additionally, being able to take advantage of the RSS/ATOM feeds (see the section directly above) will aid you in some new technology for site indexing as used by all search engines called ROR. (ROR is an XML format summary of your website, like a sitemap, that search engines can access for additional information about your website.)
Presentation Flexibility
Making changes to a CSS based Tableless layout is simple. You can alter the CSS file only, changing as many styles and graphics as you want. The affects cascade through all the pages on your website, and eliminate the need for manually updating many pages.
For one of the best known examples of how powerful presentation can be, you can visit the CSS Zen Garden (link at the end of article) and navigate through the ‘Select a Design’ links to see the differences. Each of the different designs uses exactly the same HTML file content. The only thing that changes is the CSS file for each one.
Selling Yourself On Standards
Sometimes knowing how to code for standards, and create flexible tableless layouts is not enough. There are some web designers who meet with difficulties from their management. Most often those difficulties are rooted in the management being unaware of the benefits of using tableless content and CSS driven layout.
If you want to design for standards, but you work for a company that is not very forward-thinking in allowing you the time to work on the changes try this: Make them think about their pocket-book. Point out the cost saving benefits.
For instance, try grabbing a single page of existing code. Clean it up to standards. Compare the page size to before (including image optimization), and count the difference in bytes saved. Multiply that across the number of site pages, and the number of days per month. Then explain to them the amount of bandwidth cost saved monthly if this was done across the whole site. If that isn’t enough, show them how quickly you can make changes to a website once it is CSS driven, and push the idea that you will be able to change the site more rapidly when there are needed updates, and you will have more time to focus on adding in new functionality to the site – instead of spending your time doing maintenance.
Summary
Hopefully, this little article will serve as a way to get you started on understanding why to use a tableless layout, what the benefits are, and you can easily take a look at Layout Gala (link below article) and download just 1, or all 40 of the tableless layout examples to get you started. However, the best step toward moving to a tableless design is to slowly move your website toward a standard compliant version first, before you get rid of the tables. To get to that point, study as much on CSS as you can, read through the articles here and elsewhere on the web, and moving from table layouts to tableless will be just a matter of time.
Note: View the original article, including all 9 image examples.
Links mentioned in the article: CSS Zen Garden, Layout Gala.
Nicole Hernandez is a web developer with a specialty in web standards and accessibility. She is the owner of Website Style and publishes technical articles on her blog called Beyond Caffeine.
Permalink
Comments Off
Trends and Findings
Over the last few years, we have identified a number of common features and trends in system security, malicious attacks, and general web application testing. Of these, a number of the security testing issues are of some interest and can be addressed over time through a targeted approach.
In the last 18 months we have performed incident response and incident management for a relatively significant number of large clients. Through this, it is apparent that approximately 50% of the compromises that have taken place have done so through application level attacks. In general terms, the root cause of the attacks were:
1. Vendor provided software (including both off the shelf and custom) having a number of insecurities and software vulnerabilities which the customer was unaware of
2. A single misconfiguration resulting in a full compromise indicating a lack of a defence in depth strategy and implementation
Other points we have observed are that:
Server and Operating System level attacks are tending to plateau, with larger companies significantly worse than smaller companies in managing both vulnerabilities and insecurities.
There were relatively few “zero-day” attacks; most attacks were the result of automated tool scanning attacks.
The detection of attacks was in the main abysmal, with the compromises only being detected as a result of aberrant behaviour by systems.
We have also performed a huge amount of network and application intrusion testing (penetration testing) over the last few years, with a number of emerging trends:
Infrastructure level testing is seeing a reduction in insecurities, largely due to improved trends around vulnerability management.
A web application deployment by a fresh (new) client is likely to have a significant number of web application security issues, with everything from exposed databases through to SQL injection level attacks being possible. Further testing over time indicates that a relationship with a security company for source security testing purposes results in a reduction of insecurities in the web applications.
“The bigger they are, the harder they fall”. There appears to be a defined trend towards the larger companies having a higher number of insecurities, particularly in the web application space. The root cause of this is unclear; however there is a relationship with outsourcing, and the need for a large organization to “secure everything”. This also applies to smaller companies; however the smaller companies tend to have significantly less infrastructure to worry about.
Certainly we have seen vulnerability management and analysis starting to be applied within organizations; however it is only really the network, operating system, and server levels that are being worked on by most companies. This is largely based around the notion that vulnerability scanning and remediation products and services are maturing in this space. Certainly while there are maturing tools in the application security testing space, they are still quite reactive, and will take a number of years to be both mature and mainstream.
From the vulnerability research and analysis that we have been performing, it is apparent that application development is still poor in terms of security. Not all of this can be blamed directly on the developers; with so much pressure to get product out the door, security is often given a back seat. We also need to focus on training our software developers to code securely but we are presently doing an abysmal job at it. A number of the application layer security vulnerabilities we are seeing in both off the shelf and open source systems are merely new instances already well known vulnerabilities. How long have we known about buffer overflows and SQL injection issues? So why are we still seeing them? For further discussion around some of this, see Brett Moore’s Ruxcon presentation on “same bug, different app”.
As a final note for this section, as an organisation we are really excellent at application testing and source code analysis, but really hate being the ones that break a system 2 days before it is scheduled to go live. The stats are there; design security in at early phases of the project, and the cost and impact of remediation is much less than trying to fix it when you are just about to roll it out, and dramatically cheaper than trying to fix it once in production. We are starting to see a trend towards compliance and security assurance climbing the systems development life cycle value chain. Long may it continue…!
COTS
So who tests vendor products (Common Off The Shelf) for web application security issues before they are rolled into production environments? Particularly where it has previously been deployed into other client sites? Really? How many of you review source code security in code developed by your outsourcer and / or development team?
We have seen the good and the bad in this space. In a number of cases we have tested and broken web applications that are in widespread use around the world, and have found them seriously lacking. This is not necessarily just a plug for how good we are; it is more an indictment on the lack of application security testing performed by other companies that have purchased and implemented these products. Really guys, some of the attacks and exploits were just plain basic…
The message really is to at least do a source code review where possible, or an application intrusion test where you can. COTS systems are not automatically secure simply as a result of how widely they are deployed. If you are concerned about the security of a product, get the developers to release the source code to you for assurance and testing. Based on our findings, at least 20-30% of web applications (either COTS provided or outsourced) have significant vulnerabilities.
What about your outsourced application development? Of course you do realize that you are accountable for poor software security and are performing source code audits appropriately when code is delivered? Seriously though, there is a real lack of due diligence in reviewing delivered systems at either the application or source code level, for which we believe the primary reason is a lack of applied accountability, and (up until recently) this stuff hasn’t necessarily been cheap to test. The other big issue that we find is a general lack of security testing standards, and security standards in application development.
Products and tools are getting to the point where it is possible now to perform reasonable compliance checks and security audits against vendor / outsourcer provided systems without the inherent costs associated with manual source code audits. Measure their performance! Accountability is not something that can be outsourced easily, and reasonable practice is to ensure that your contract with your vendor / outsourcer at least includes your expectactions of web coding standards and practices (or at least review and scrutinize theirs), and to perform some form of compliance checking of these standards against the delivered code. How otherwise do you know whether the delivered application is secure? Blind trust and faith?
Open Source
There has been some significant debate over the security of either closed or open source systems and it is clear that, in the web application security space particularly, there does not appear to be any significant differences. From our code reviews using CodeScan, the numbers of issues found in COTS products and Open Source appear on the surface to be similar.
Across Open Source applications that we have tested with CodeScan, we are finding all of the common suspects; Cross Site Scripting is rampant, and SQL Injection is still there to degrees that are kind of interesting. And these systems are deployed and exploited globally. We will be releasing advisories and statistics against our vulnerability findings in open source web applications, particularly in the ASP and PHP space shortly, so watch this space!
A couple of really interesting issues arise from the use of Open Source applications. While it is an important way to place useful applications into the online space, it is apparent that the degree of security scrutiny placed on the web applications is insufficient. In the main, contributors to these projects are focused on the application functionality and features, and security issues do not get the level of attention or audit that is warranted. A part of cause for this has been a lack of compliance or automated tools that can provide a quick return on the problem; that was one of the driving forces behind our developing CodeScan for our own use in automating some of the source code analysis.
The other really interesting issue that arises from the Open Source community is that a high proportion of development teams globally use “cut and paste” techniques to include functionality into their own application development. This has the advantage of enabling relatively quick software / web application developments to occur, but the other edge of the sword is that it may also duplicate potentially insecure code. How many people really perform source code audits against the code they are importing to determine that they are not actually importing vulnerabilities into their application at the same time as they bring in functionality?
Tools and Trends
Proactive vs. reactive; bugs need to be squashed in development. There are a number of vendors, including ourselves, that are moving away from the more traditional reduction of exposures and issues and more into the prevention of vulnerabilities being developed in systems in the first place. Application vulnerability testing can be applied to production applications, and additional tools implemented to control the visibility and exploitation of software vulnerabilities (intrusion detection / prevention, application aware firewalls, patch management systems, etc), but these are all still reactive in nature. If you are trying to fix software security issues, why not develop it to be secure in the first place? Security At The Source is the only true proactive measure that is going to result in secure systems over time. Addressing security at the source code level with static compile time code inspection systems is likely to be one of the big emerging trends over the next 2-3 years.
Security policy driven testing is also emerging as a requirement trend. We are continuously seeing drivers in being able to test easily for standard and custom security policy in web application development. Why should customers put up with code that doesn’t even comply with either their own or their developers’ policies for secure development?
There is also a big trend away from static application testing prior to production toward incorporating security testing and compliance measurement throughout the software development lifecycle. There have been a number of studies done that identify this specifically, and the cost for repair of bad code in production systems has been proven as high.
“It is about 40-100 times more expensive to fix problems in the maintenance phase of a program than in the design phase.”
There is also a strong tendency now to look at how security can be designed in, and tested as a part of the overall software test environment. Why not start testing code security at the prototype phase? Problems and issues associated with the design are a lot easier to pick up and rectify at that stage. We have seen (anecdotally) significant reductions in the cost of early security testing vs. testing at the “ready to go live” state. All too often the testing at the end will anyway result in a “we will fix the security in the next version” or similar lame excuse, with the security issues either not being addressed, or being exploited in the production state. Not great, but the situation definitely is improving.
Compliance management is probably going to be the next “big” driver for software compliance. Already we have seen more and more onerous regulations controlling auditing and reporting (Basel II, Sarbanes – Oxley) and privacy (Gramm – Leach – Blilley, HIPAA, Australian Privacy Act), ISO 17799, and commerce (MasterCard / Visa AIS program) are driving the adoption of comprehensive IT best practice guidelines, which have as a core the reliable audit and measurement of compliance with minimum baselines. As an example, the MasterCard SDP looks to testing of OWASP Top 10 vulnerabilities in bespoke or custom web applications. This trend is likely to continue, with compliance driving a number of behavioural changes within organizations and software development.
Final Summary
Today, in this environment, existing vulnerability scanning methods, including manual reviews, are just not going to cut it. Right now, as security professionals, we worry about these problems. As the new and emerging laws settle into established practice, look for security to embed itself firmly with quality assurance staff, application designers, and eventually the programmers themselves, to become more involved in managing software security and ensuring compliance.
Peter Benson is the CEO of CodeScan Labs, and Security-Assessment.com
CodeScan Labs is a sister company of Security-Assessment.com, and is firmly focused on software vulnerability research and subsequent development. Our flagship product is CodeScan Developer, which is designed for use by both developers and auditors in the testing of web application source code for security weaknesses.
http://www.codescan.com
http://www.security-assessment.com
Further resources available at http://www.security-assessment.com/tech-1.htm
Permalink
Comments Off
« Previous entries Next Page » Next Page »