Domino security update [Oct 19]
L0pht Heavy Industries
A recent advisory by L0pht Heavy Industries has flagged a potential security issue for users of Notes and Domino. The advisory highlighted a security vulnerability on Notes and Domino Web sites that could occur when third-party developers make certain types of internal information available on Web browsers. Lotus commends L0pht for noting the importance of setting security access when developing an application.
The L0pht advisory does not "attempt to place blame on the software vendor or on specific app developers." In reality, the problem described by L0pht could easily be seen in any operating system or application -- it's not specific to Domino. Rather, it's more of an issue of the difference between a software package's inherent security versus the security of an application's design and implementation.
How do I secure my application?
Lotus and L0pht agree on several important steps to ensuring a Web application is secure:
As Lotus has recommended in the past, a $$ViewTemplateDefault should be used to block anonymous access to internal database views.
Furthermore, as emphasized by both Lotus and L0pht on previous occasions, site configuration databases such as domcfg.nsf, domlog.nsf, log.nsf, catalog.nsf, and names.nsf should be set to No Access for anonymous users. Even with general security in place, all sensitive views (such as those listing documents containing user information) should be set to 'no access' for readers and anonymous users.
To prevent misuse of database searching as described in their advisory, L0pht suggests simply including a $$SearchTemplateDefault with no $$ViewBody field. Security options from Lotus Lotus provides a wealth of security options which are all available to the application developer Developers can secure the entire environment, files within the environment, individual fields,and other data, such as access control lists. To be sure third-party developers leverage those measures properly, you should make sure you work with a Certified Lotus Professional (CLP).
To help Business Partners take advantage of new opportunities in the marketplace and to increase the number of quality solutions and services available to customers, Lotus has increased the number of education and training programs to further fine-tune the number of specialties and segments within its partner base. In 1997 alone, Lotus trained over 50,000 individuals worldwide as certified professionals representing a 200% increase in Certified Lotus Partners in 1997. Business Partners constitute 80% of the individuals/companies at the highest levels of the certification program. In addition, Lotus continually conducts seminars and training sessions to educate application developers on the dangers and concerns of Web application development.
Welcome to the Lotus Internet Security Zone
lotus.com
|
