Java applet code review

Revision as of 15:06, 21 January 2007 by Jmanico (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Attackers Reverse Engineer Client

All clients can be reverse engineered, monitored, and modified All encryption keys and mechanisms are not secrets All intellectual property (algorithms, data) is disclosed

Attackers Create Malicious Client, Server, or Proxy

Tamper with requests and responses Spoof a legitimate client or server application

Attackers Target Rich Client Application Itself

Clients can be abused - especially if they are "listening" All forms of input corruption (injection, overflow, etc.) can be used Spoofed server can be set up

Attackers Target Server Application Vulnerabilities

All typical server application issues are possible

Client Security Considerations

Mutual authentication over SSL Access control Not possible on client?

  • Input validation
  • Interpreter use
  • Error handling and logging
  • Intrusion detection
  • Encryption
  • For protecting information - Not possible on client?
  • For secure communications
  • For secure storage
  • Jar Signing