All this talk of ways to cracking systems has me paranoid.


So what is the best way to pass a variable between 2 pages?


Using SSL, encrypting/decrypting a session variable (or CFID CFTOKEN)?

-----Original Message-----
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 10:52 AM
To: CF-Talk
Subject: Re: Securing CF Apps.

> That's precisely what I'm saing. Once deployed, the schema owner is
> disabled. Now of course an sa account exists, but an sa account will
> exists on every db server, just as and admin account exists on every
> OS. Furthermore, all client tool connections are disabled as well. The
> only thing that isn't locked down is SQLPlus, with an sa account,
> running from localhost.
>
The sa account is a schema owner. Now the part about sa access only
from localhost changes everything. That practice coupled with the
schema lock down is very effective. Locking down the schema while still
allowing sa access from remote machines is a waste of time.

>  Applying uniform security settings to the CFIDE and the db aren't a
> waste of time. Although some may overlap, its good practice to do
> whatever possible. Wouldn't you agree that two firewalls are better
> than one on a network? If the first one gets breached, then the second
> one can enforce the same rules. If CF gets breached, then the db
> enforces the same rules.
>
Certain network designs have more than one firewall whether that be
physical or virtual, but each firewall protects different network
segments. Having two firewalls protect the same network segment doesn't
make sense. Although, I have heard arguments in favor of the practice.
Seems like the law of diminishing returns applies to this practice. I
believe the practice of applying driver level constraints that are
already enforced by the database to be redundant and irrelevant.

>  If lists are such a poor outlet to spreading information, then why do
> you even subscribe? It seems like you are only on this thread to
> criticise.
>
Can you not take my statements at face value? I never stated lists are
a poor outlet for spreading information. I stated that this list is not
a good forum for understanding general security issues.

>  I look forward to you presentation on security.
>
See you there.

-Matt
  _____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]

Reply via email to