Your First Step to a Highly Secure Web Site

Web Application Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks. Web-based attacks can lead to lost revenue, the theft of customers' personally identifiable financial information, and falling out of regulatory compliance with a multitude of government and industry mandates: the Payment Card Industry Data Security Standard (PCI) for merchants, HIPAA for health care organizations, or Sarbanes-Oxley for publicly traded companies. In fact, the research firm Gartner estimates that 75 percent of attacks on web security today are aimed straight at the application layer.

While they're described with such obscure names as Cross-Site Scripting, SQL Injection, or directory transversal, mitigating the risks associated with web application vulnerabilities and the attack methods that exploit them needn't be beyond the reach of any organization. This article, the first in a three-part series, will provide an overview of what you need to know to perform a vulnerability assessment to check for web security risks. It'll show you what you can reasonably expect a web application security scanner to accomplish, and what types of assessments still require expert eyes. The following two articles will show you how to remedy the web security risks a vulnerability assessment will uncover (and there'll be plenty to do), and the final segment will explain how to instill the proper levels of awareness, policies, and technologies required to keep web application security flaws to a minimum - from an application's conception, design, and coding, to its life in production.

Just What Is a Web Application Vulnerability Assessment?

A web application vulnerability assessment is the way you go about identifying the mistakes in application logic, configurations, and software coding that jeopardize the availability (things like poor input validation errors that can make it possible for an attacker to inflict costly system and application crashes, or worse), confidentiality (SQL Injection attacks, among many other types of attacks that make it possible for attackers to gain access to confidential information), and integrity of your data (certain attacks make it possible for attackers to change pricing information, for example).

The only way to be as certain as you can be that you're not at risk for these types of vulnerabilities in web security is to run a vulnerability assessment on your applications and infrastructure. And to do the job as efficiently, accurately, and comprehensively as possible requires the use of a web application vulnerability scanner, plus an expert savvy in application vulnerabilities and how attackers exploit them.

Web application vulnerability scanners are very good at what they do: identifying technical programming mistakes and oversights that create holes in web security. These are coding errors, such as not checking input strings, or failure to properly filter database queries, that let attackers slip on in, access confidential information, and even crash your applications. Vulnerability scanners automate the process of finding these types of web security issues; they can tirelessly crawl through an application performing a vulnerability assessment, throwing countless variables into input fields in a matter of hours, a process that could take a person weeks to do manually.

Unfortunately, technical errors aren't the only problems you need to address. There is another class of web security vulnerabilities, those that lay within the business logic of application and system flow that still require human eyes and experience to identify successfully. Whether called an ethical hacker or a web security consultant, there are times (especially with newly developed and deployed applications and systems) that you need someone who has the expertise to run a vulnerability assessment in much the way a hacker will.

Just as is the case with technical errors, business logic errors can cause serious problems and weaknesses in web security. Business logic errors can make it possible for shoppers to insert multiple coupons in a shopping cart - when this shouldn't be allowed - or for site visitors to actually guess the usernames of other customers (such as directly in the browser address bar) and bypass authentication processes to access others' accounts. With business logic errors, your business may be losing money, or customer information may be stolen, and you'll find it tough to figure out why; these transactions would appear legitimately conducted to you.

Since business logic errors aren't strict syntactical slip-ups, they often require some creative thought to spot. That's why scanners aren't highly effective at finding such problems, so these problems need to be identified by a knowledgeable expert performing a vulnerability assessment. This can be an in-house web security specialist (someone fully detached from the development process), but an outside consultant would be preferable. You'll want a professional who has been doing this for awhile. And every company can benefit from a third-party audit of its web security. Fresh eyes will find problems your internal team may have overlooked, and since they'll have helped hundreds of other companies, they'll be able to run a vulnerability assessment and quickly identify problems that need to be addressed.

Conducting Your Vulnerability Assessment: The First Steps

There are a number of reasons your organization may need to conduct a vulnerability assessment. It could be simply to conduct a checkup regarding your overall web security risk posture. But if your organization has more than a handful of applications and a number of servers, a vulnerability assessment of such a large scope could be overwhelming. The first thing you need to decide is what applications need to be assessed, and why. It could be part of your PCI DSS requirements, or to meet HIPAA requirements. Or the scope could be the web security of a single, ready-to-be-deployed application.

Once you've figured out the scope, you need to prioritize the applications that need to be assessed. If you're accessing a single, new application, that decision is easy. But if you're on the precipice of accessing every web application in your architecture, you have some decisions to make. Whether you're looking at the web security of applications you own, or only those that take part in online sales transactions, you need to inventory and prioritize the applications to be assessed.

Depending on the scope and purpose of your vulnerability assessment, it makes sense to start looking at the web security of your crucial applications first - for instance, those that conduct the most transactions or dollar volume - and work down from there. Or it could be starting with all applications that touch those that process and store sales transactions.

No matter your scope, or the purpose of your vulnerability assessment, other aspects of your architecture always need to be considered when listing and prioritizing your applications. For instance, any externally facing applications - even those that don't contain sensitive information - need to be given high priority. The same is true for externally hosted applications, whether they are Internet-facing or directly connected to back-end systems. Any applications that are accessible by the Internet, or hosted by others, should be subject to a vulnerability assessment. You can't assume that an application is secure just because it is hosted by a third-party, just as you can't assume that just there is no risk just because a web application, form, or entire site doesn't handle sensitive information. In both cases, any web security vulnerabilities could very likely lead an attacker directly to your most critical network segments and applications.

The Vulnerability Assessment

Now you're ready for the vulnerability assessment. Believe it or not, much of the hard work is already done: deciding the scope, and then classifying and prioritizing your applications. Now, assuming you've already acquired a web security scanner and have identified who will conduct the manual scan for business logic errors, you're ready to take a whack at your application.

The resulting report, based on the security health of the application, will provide you a list of high, medium, and low priority vulnerabilities. At this point, you'll need someone to vet the automated vulnerability assessment results to find any false positives, or vulnerabilities identified by the scanner, but don't actually exist. If it seems overwhelming, don't fret; we'll delve into how to prioritize and remedy these web security vulnerabilities in the next installment. About the same time as your automated vulnerability assessment, the manual assessment will be underway. During the manual assessment, the expert will look for logic errors in the application: Is it possible for users to conduct transactions in ways the developers hadn't anticipated? Such as the ability of someone to tamper with application values that are being passed from the client to the server to alter the price of an item. The manual vulnerability assessment will end with a list of all vulnerabilities to web security found, and the assessor should prioritize the risks posed by each problem - based on the ease of exploiting the vulnerability, and the potential harm that could result if an attacker is successful.

Now you have your list of web security vulnerabilities, both technical and logic. And, if your organization is like most others, you have some remedying work to do. The challenge now is to prioritize what needs to be fixed, so that your existing applications can be hardened, and those being built can be remedied and safely placed into production.

While the list of web security issues may be long, you've completed the first major phase on the road to a highly secure application. Take comfort in the fact that your vulnerability assessment has identified problems in your applications before they were attacked by competitors, lone-hackers, or organized crime. In the next article, Effective Web Application Vulnerability Remediation Strategies, we'll show you how to prioritize your remediation work so that development time isn't prolonged, and existing applications at risk are remedied before they can be attacked.

About Caleb Sima

Caleb Sima is the co-founder of SPI Dynamics, a web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics' R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on web application security testing methods and has contributed to (IN)Secure Magazine, Baseline Magazine and been featured in the Associated Press.

About Vincent Liu

Vincent Liu, CISSP, CCNA, is the managing director at Stach & Liu, a professional services firm providing advanced IT security solutions. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Vincent is an experienced speaker and has presented his research at conferences including BlackHat, ToorCon, and Microsoft BlueHat. He has been published in interviews, journals, and books with highlights including: Penetration Tester's Open Source Toolkit; Writing Security Tools and Exploits; Sockets, Shellcode, Porting, and Coding; and the upcoming Hacking Exposed: Wireless.

Article Source: http://www.site-reference.com/articles/Website-Development/Your-First-Step-to-a-Highly-Secure-Web-Site.html

Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?

Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look to penetration testing?" I think we, as an industry, may be asking the wrong question. First, let's look at how the web application industry has grown over the years and how penetration testing has scaled to meet that challenge.

Pre-2000

Before the year 2000, some companies had a web site for marketing purposes and a few companies were starting to do a little business on the web. There were of course a lot of DotComs around selling things on the web, but real "brick and mortar" businesses were just using the web as a marketing tool. The brick and mortar businesses who understood security started asking their experts in penetration testing to check out these web applications. Using some simple vulnerability analysis tools, those penetration testing experts did a good job checking for simple web application security issues. There were a few people running around that really knew how to test a web application, but not many. At this time, there were a few open source vulnerability analysis tools in existence, but the market was in its infancy.

Early 2000s

After the DotCom bust, companies actually started to use the web and web-based applications for both internal and external applications. Most applications still existed on non-web-based platforms, but developers started moving their legacy applications into web-based environments. Developers found that creating a web-based application was a bit more complicated, but deploying it via a browser made it all worthwhile. In addition, customers now wanted to transact their business via the web, and as a result, companies started to provide some of their services via a web application.

Security commonly responded to this change in one of two ways. One approach that worked was to hire or contract more penetration testing experts and to try to test all web-based applications before they went live. This worked in some cases, but usually there was not enough support for the penetration testing so only critical applications were tested, leaving non-critical applications open to attack. The other approach was to assess the web-based application with vulnerability analysis tools before it went live. This approach scaled much better than the penetration testing route, but would frequently miss vulnerabilities that really should have been discovered.

Usually, a combination of stand-alone vulnerability analysis tools and penetration testing was used in an attempt to get full application coverage. This yielded good results, but most security organizations were still quickly overwhelmed by the number of web-based applications that needed to be assessed. Also, this approach typically found vulnerabilities after the application had been developed, tested and was ready for production. This frequently caused companies to go live with vulnerable applications or go back to development and fix the issue.

The Right Question (Where we are today)

Today, the problems of the early 2000s have only worsened. The proliferation of web-based interfaces and applications has spread to every part of our lives and businesses. With this growth, we are not only seeing new groups within companies use web-based applications, but we are also seeing that these same groups are using web-based applications for everything they do on the computer. And these applications are also becoming more complex.

When faced with this type of environment, many web application security experts ask the question, "Should I use vulnerability analysis tools or hire more staff for penetration testing?" I think this is the wrong question. What we should be asking is, "If I have so many people developing web-based applications, how do I get them to do it in the secure way?" The people involved in creating the web-based applications will need to become part of the solution, not the cause of the problem. Developers and QA testers will need to understand how to develop a web-based application that is secure, and they will need vulnerability analysis tools to help them verify that they are doing the right thing. And providing developers with an automated way to test their applications can help them find web application security issues much earlier in the process.

Training for QA professionals is also critical. These professionals need to know how to look for web-based security issues and then need to have vulnerability analysis tools that help them test for security issues. They also need a way to integrate these vulnerability analysis tools into their existing defect tracking systems. This integration allows for tracking of issues as well as generating metrics around what type of issues are being created by the developers.

At the enterprise level, we need ways to assess applications that are in production and understand what the enterprise looks like from a web application security perspective. These tests should include issues resulting from development, QA and production, as well as the in-depth data that penetration testing will continue to generate. Having an enterprise view allows executives to understand where their risks are and what an appropriate response to the risks should be.

As for penetration testing, it will continue to be a core part of the web application security landscape. The fact is that there are some web application security issues that vulnerability analysis tools just don't do a great job of finding. These vulnerability analysis tools get better every day but they have a long way to go before they can be considered a "mature" product family. The web application security assessment industry is still quite young and the security landscape is changing quickly.

The fact is, the need for those experienced in penetration testing will continue to increase. We will need them to continue to do more assessments and to do more in-depth assessments that vulnerability analysis tools will not be able to fully execute. We will also need them to train developers and QA professionals in how to test web-based applications. Web application penetration testing is still a rare skill that vulnerability analysis tools cannot replace, and we need the people that are creating the web-based applications to develop applications more securely and to help develop processes to promote and verify the security of applications.

Dennis Hurst is a Developer Security Evangelist for SPI Dynamics where he works with development organizations evangelizing the need to integrate web application security into their Web development processes. A Microsoft Developer Security MVP, Dennis has more than 15 years experience in the Information Systems/Application Development industry, and he is an expert in computer applications and networks.

Article Source: http://www.site-reference.com/articles/General/Penetration-Testing-vs-Vulnerability-Analysis-Tools-Which-Is-Best.html

Apache, MySQL & PHP for Windows

Apache, MysQL and PHP for Windows could be a nice nice thing to have on your Windows workstation. You could try and experiment with all kinds of nice PHP and MySQL based applications right on your Windows desktop running Apache, instead of having to access a full-featured server.

Most people have Windows as their workstation and it can be sometimes difficult to switch to another operating system. So, you may have always wanted to run PHP applications on your Windows machine but wondered if it is too difficult to install or if the hassle will be worth it.

This article gives you the essential information to get started right away. Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process.

There are lots of 3rd party software that bundles Apache, MySQL & PHP in one package and installs them on our computer. We do not recommend this and suggest that you directly get Apache, MySQL & PHP from their official sites.

Apache
1. Get Apache 1.3.33 from here: http://httpd.apache.org/download.cgi.
2. Choose a mirror close to you and in the same page, look for the Win32 Binary (Self extracting) file: apache_1.3.33-win32-x86-no_src.exe.
3. Download the file and save it on your hard disk. Run the installer and the self-extracting wizard will guide you through the rest of the steps. Choose all the default settings and run Apache as a service.
4. Remember to put "localhost" when asked for a Server name/Domain name. Use "administrator@localhost" when asked for the administrative email account.
5. Now point your browser to: http://localhost and you should see an Apache Test Page.
6. You can change this page by creating an "index.html" page here "C:Program FilesApache GroupApachehtdocs".
7. You can manually start and stop the Apache server. In a Windows command prompt, type "net stop apache" or "net start apache".

MySQL
1. Get MySQL 4.1.7 from here: http://dev.mysql.com/downloads/mysql/4.1.html
2. Under the Windows downloads section, choose Windows Essentials (x86) and click on the Pick a Mirror link.
3. Download the file mysql-4.1.7-essential-win.msi and save it on your hard disk. Run the installer and the self-extracting wizard will guide you through the rest of the steps. Remember the root password when prompted for it in the installation process.
4. Once the installation is done, on your Windows toolbar, go to "Start->Programs->MySQL->MySQL Server 4.1->MySQL Command Line Client".
5. Type the root password and you should be logged in to the MySQL shell.
6. Type "show databases;" to see the list of databases. Type "quit" when you are done.

PHP
1. Get PHP 4.3.10 from here: http://www.php.net/downloads.php
2. Under the Windows Binaries section, choose the file: PHP 4.3.10 zip package size 7,405Kb dated 15 Dec 2004.
3. Download the file and save it on your hard disk. Unzip the file and rename the extracted folder to "php". Now move this folder "php" and place it under "C:Program Files".
4. Move all the files under "C:Program Filesphpdlls" and "C:Program Filesphpsapi" to here: "C:Program Filesphp".
5. Copy the file php.ini-recommended to "C:WINDOWS" and rename it to php.ini
6. Edit your Apache "httpd.conf" configuration file located here: "C:Program FilesApache GroupApacheconf".
7. Add the following lines in httpd.conf:

LoadModule php4_module "C:/Program Files/php/php4apache.dll"
AddModule mod_php4.c
AddType application/x-httpd-php .php

8. Now stop your server by issuing the following command in Windows command prompt: "net stop apache". Then type "net start apache" to start your server. We are now going to test the PHP installation.
9. Go to "C:Program FilesApache GroupApachehtdocs" and create a file test.php
10. Edit test.php and add the following code:
phpinfo();
?>
11. Point your browser to http://localhost/test.php and you should see a lot of PHP configuration information.

Congratulations! You now have Apache, MySQL and PHP installed in your computer. Now you can install your favorite script right on your Windows workstation.
About the Author
Sanjib Ahmad, Freelance Writer and Product Consultant for Business.Marc8.com - Top 10 Business Best Selling Books. You are free to use this article in its entirety as long as you leave all links in place, do not modify the content, and include the resource box listed above.

Article Source: http://www.site-reference.com/articles/Website-Development/Apache-MySQL-PHP-for-Windows.html

Apache, Mysql

"Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process."

Apache, MysQL and PHP for Windows could be a nice nice thing to have on your Windows workstation. You could try and experiment with all kinds of nice PHP and MySQL based applications right on your Windows desktop running Apache, instead of having to access a full-featured server.

Most people have Windows as their workstation and it can be sometimes difficult to switch to another operating system. So, you may have always wanted to run PHP applications on your Windows machine but wondered if it is too difficult to install or if the hassle will be worth it.

This article gives you the essential information to get started right away. Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process.

There are lots of 3rd party software that bundles Apache, MySQL

Sanjib Ahmad, Freelance Writer and Product Consultant for Business.Marc8.com (http://business.marc8.com/). You are free to use this article in its entirety as long as you leave all links in place, do not modify the content, and include the resource box listed above.

Article Source: http://www.site-reference.com/articles/General/Apache-Mysql.html

The Pros and Cons of Web Applications

There has been a long running debate about web applications replacing desktop software applications. While some functions are better suited to web applications. It is my belief that security concerns and legacy systems will prevent desktop software from becoming obsolete.

Some argue that the debate between web applications and desktop applications is pointless; as their is no clear answer. While still others argue that the issue at hand is as much a business and marketing issue, as it is a technological issue.

What Defines a Web Application Vs a Desktop Application?
A web application is an application delivered to users from a web server like the Internet. Some businesses run web applications on an intranet, as well. Web applications are becoming more popular due to the widespread use of the web browser as a client.

Some applications are better suited and more likely to become successful as web applications. Web applications designed specifically for search engine optimization, have become increasingly popular. It is easy to understand why web applications that relate to the Internet would prosper, while business applications may have less appeal in a web environment.

A desktop application is a self-contained program that performs a defined set of tasks under the user control. Desktop applications run from a local drive and do not require a network or connectivity to operate or function properly, though if attached to a network desktop applications might use the resources of the network.


Pros and Cons to Desktop and Web Applications:

Easily Accessible
Web applications can be easily accessed from any computer or location that has Internet access. Travelers especially benefit from the accessibility. This often means that if a traveler has access to a computer, phone or handheld with Internet connectivity they can utilize the web application.

Low Maintenance & Forced Upgrades
Desktop applications need to be individually installed on each computer, while web applications require a single installation.

Many web applications are hosted by a 3rd party and the maintenance fall under the applications hosts responsibility. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for the popularity of web based applications. This can be a blessing and a curse as users of web applications on hosted systems are at the mercy of the host, if an upgrade does not go well, or the individual user doesn't want or need the new features the upgrade will still go forward.

Increased Security Risks
There are always risks involved when dealing with working online, regardless of how secure a host might say a web application is, that fact of the matter stands that the security risk of running an application of the Internet is more significant than when running an application on a standalone desktop computer. Some applications require more security than others, playing Sudoku on a web application would cause little concern, but dealing with sensitive corporate formulas or accounting details in a web environment might be determined risky.

Cost
Over the life of the software use, web applications are typically significantly more expensive over time. Desktop applications are purchased outright and rarely is their a recurring fee for the software use. Some desktop applications do have maintenance fees or fee based upgrades associated with them, but rarely is there a subscription fee associated with the software's ongoing use.

Many corporate web applications use a different model, users typically are charged monthly service fee to operate the software. Fees are considered "subscription fees". If you fail to renew your subscription you may be unable to access the data stored in the web application.

Connectivity
Web applications rely on persistent and unmanaged connectivity. If you do not have an Internet connection or if your host does not have Internet connectivity you cannot access the information. Critical applications or businesses that are time sensitive cannot risk denial of service attacks or power outages to interrupt their operations and access data that is sensitive.

Slower
Web applications that rely on the Internet to transfer data rather than a computer's local hard drive, may operate slower. The speed may also vary based on number of users accessing the application.

Backups & Ownership.
Regardless of the platform, companies need to be sure that their data is appropriately backed up. When using a web application that are hosted by a third party, companies should clearly determine who owns the data housed in the application, and be sure that privacy policies prevent that data from being used by the web host.

Ultimately the accessibility of web based applications make them very desirable. Web applications have some fundamental limitations in their functionality, and are better suited for specific tasks. Understanding the pro's and con's to each business model, will help users determine whether a desktop application or web application will better suit their needs.

Sharon Housley manages marketing for FeedForAll http://www.feedforall.com software for creating, editing, publishing RSS feeds and podcasts. In addition Sharon manages marketing for NotePage http://www.notepage.net a wireless text messaging software company.

Article Source: http://www.site-reference.com/articles/General/The-Pros-and-Cons-of-Web-Applications.html

Google and Sun - a Partnership to Kill Microsoft or a Deal with the Devil?

While the implications could be huge and far reaching, only Google knows for sure what it wants. We can speculate however and that’s what this article is all about. Is such a deal good for Sun (and Google) or is it a pact with the devil?

At first glance, such a deal doesn’t seem like much. After all java to most people is just a plug in for your Internet browser. What good would such a deal be to Google? Well lets take a look at what Java can do. The following is taken straight from Sun’s website:

The Java programming language is robust and versatile, enabling developers to:
Write software on one platform and run it on another.
Create programs to run within a web browser.
Develop server-side applications for online forums, stores, polls, processing HTML forms, and more.
Write applications for cell phones, two-way pagers, and other consumer devices.

Let me break this down for you – point by point:

Write software on one platform and run it on another

To me this says it all – platform independent applications. What is one thing Windows does well? The programs generally run only on Windows. Developers usually have to port applications to run on other operating systems like Mac or Linux. But an application built on Java can be run on any platform regardless of the architecture.

Create programs to run within a web browser

This is an area Google lacks in somewhat. Sure they own search and have some great web based applications such as Gmail, but there are so many potential other web based applications out there. From web based collaboration software to web based application suites (such as office applications). The possibilities are endless.

Develop Server Side Applications

Again, since Java is platform independent, different types of server applications can be built for websites regardless of their operating system. An E-commerce system could be developed which would easily plug into a website whether it was ASP or PHP based. This would be a huge competitive advantage for Google.

Write Applications For...Consumer Devices

Portable web is the future. There is no doubt about it. Rather than building mutiple platform dependent applications, one could again develop a java based platform independent application. Since it’s independent it can not only run on your desktop or within your web browser but also your cell phone, blackberry or PDA.

So, now that we know what Java can do, lets take a look at what Google can do with Java:

Compete on the Desktop

Virtually any application could be ported from it’s current Windows based version to a platform independent Java version. Even current Google applications like Picasa and Google Earth could now be available to non-Windows users.

Obviously, there is a potential to compete with current Microsoft products as well. The first that comes to mind is Microsoft Office. One would expect this to be one of the first areas Google moves into.

Imagine the potential though. I think of how good that would be just for me personally. My computer runs Fedora (a version of Redhat Linux) yet for other reasons (games) my son’s computer runs Windows XP.

When he needs help with homework it can be trying because he uses Microsoft software and I use open source. If we could collaborate on something which doesn’t care what OS it runs on, it would make our lives so much easier.

And that leads to my next point – collaboration.

Compete with Future Microsoft Products

One thing Microsoft has been getting better at, but is still lagging in, is online collaboration. Sure they have Exchange Server and Sharepoint, but those systems are somewhat cumbersome and don’t always play together nicely.

But imagine a system which is (again) platform independent and web based and allows collaboration among multiple users from different areas using a shared application base. The system could incorporate version control for shared documents, as well as calendaring, email and other communications.

This system could be hosted by Google (of course) but be open to who you want. In other words, you could openly collaborate with clients, or co workers regardless of what system you are using – you could connect and read email with your PDA, schedule appointments with your laptop and even have a Google Talk VOIP conversation with your cell phone. The possibilities are endless.

Take Over the Desktop

To go even a step further, what if Google built a small lightweight version of Linux that hosts links to web based versions of the Java applications. You could then have this light Google Linux stored on a USB device.

That way, no matter what computer you use, you could reboot it into the USB version of Google’s Desktop and have all your customizations and settings just like you would at home or the office.

You could borrow your neighbors laptop or even go to the local Internet cafe and reboot into “Glinux” to read email, respond to appointments and even have a virtual conference via Google IM.

Again, depending on how aggressive Google wants to be (and I bet you they are very aggressive) Google could become a viable alternative to Microsoft. And not just Microsoft applications but Microsoft as a whole.

Google could take over the desktop (or at least temporarily supplant it) as well as any MS based application.

This is the true power of the deal today. While it make take months or years to see the first “real” Google/Sun java application, I do expect to see them taking aim at Microsoft and what it has accomplished.

Because this is still all in line with Google’s mission of making the worlds information universally accessible.

All I can say is I hope Bill Gates has a big enough war chest because he’s going to need it.

Rob Sullivan - SEO Specialist and Internet Marketing Consultant. Any reproduction of this article needs to have an html link pointing to http://www.textlinkbrokers.com

Article Source: http://www.site-reference.com/articles/Search-Engines/Google-and-Sun-a-Partnership-to-Kill-Microsoft-or-a-Deal-with-the-Devil.html

Key Comparisons of Linux vs. Windows Servers

For someone who is fairly new to web hosting, choosing the platform you are going to use for your server can be a difficult and even mind-boggling decision. Although there are several obscure choices still available, the most widely used Operating Systems (OSs) are the enterprise, or server, versions of Linux and Windows.

There seems to be a limitless source of information regarding hosting, but it seems that the waters have been muddied by many authors’ self-important personal opinions. This has resulted in some of the issues becoming rather unclear to intermediate users. Some technology bloggers have put quite a few hours, even years, into research on the subject, only to conclude that it really does not matter what server you decide to use. They claim that you should just make sure to choose a really good web host, instead of worrying about the type of server software they are running.

Are they right? Does it matter what kind of server hosts your site? Why? What is the difference between the two OSs, anyway?

Cost considerations

Microsoft manufactures and owns the rights to the entire Windows OS, from the recently retired XP to various flavors of Vista. Linux, on the other hand, is “open source” software and is usually free. What that means is that it can be more costly to install and run a Windows server, but this really would not affect you unless you are setting up the server personally – and if your eyes are glued to this article then it’s a safe assumption that you are not doing so.

What this article will do for you is give you the rundown on how to make the right decision about the web-hosting server you choose. The costs inherent in running a server do not always affect the price of the hosting package as you might suspect. The fact that a single Windows server would be more costly to set up and run doesn’t apply to a web-hosting firm that has installed several dozen or more. Getting the Window hosting package is usually a bit more expensive than the Linux hosting package, but not so much that you should disqualify it on price alone.

Make no assumptions

Individuals often assume that just because their PC operates on Windows, they should purchase a Windows hosting package. Not necessarily. Gaining access to your web account will usually be done through FTP or a control panel, and all servers support these methods. The most important difference in administrative site access is that some FTP commands are a bit different in Linux than in Windows and, of course, the FTP programs will usually be created for only one or the other.

Think about how you intend to put the server to use. Make your decision based on those facts. The web features that will run just fine on both platforms include PHP and the e-mail protocols, IMAP and POP. On the other hand, using ASP, Frontpage, the .Net environment, Access, Windows Streaming Media or other Microsoft technologies will likely require a Windows host. Linux offers only limited support, or none at all, when it comes to these technologies, meaning your “workaround cost” will be quite high and may lack the features you need.

Stability and growth

Different server platforms’ reliability and stability records have been raised in many discussions, some rather contentious. The focus of many anti-MS rants has been that Windows is not a secure environment and is only popular because it is the OS for the majority of home-based PCs. As the most commonly used system, Windows has flaws and people tend to spend a lot of time looking for them, as well as exploiting them for harm.

However, Linux may just be the most common server type out there and, surprisingly, the success rate for hackers has been higher than expected, although not as high as for Windows. After all is said and done, the platforms and their security boil down to systems administration and server company management. If security is the main focus for you, then be sure to take the time to investigate the company that is hosting your site. Make sure that they have a reputation that is corroborated by other companies, not just their own marketing materials. This way you will have fewer worries about the server you are using.

Too close to call?

When it comes to the performance of the two servers, there is not a huge difference. Linux has been known to perform faster than Windows on some “cookie cutter” hosts that install Windows in its default, “all in one” package. Linux distributors, using an open-source application with more flexibility, can implement “extensible” packages with greater customizability. In normal situations, the performance of the two is comparable, but if system functionality is most important to you, this may have an impact on your final decision. Which direction that will send you depends on what you wish to compare, as the OSs do have some different strengths and weaknesses.

It is arguably a better use of your time to look for a good host rather than a good server model or OS. Linux and Windows developers are always working on ways to improve both systems. At this point they seem to be roughly equivalent when it comes to the security, features and reliability expected by the average home and small business user. This is not likely to change for some time. You must base your decision on the factors most important to you and your business, and in this neck-and-neck horse race, a clear winner is impossible to call. Eventually you will just have to saddle up with one or the other, and hit the track.

Amy Armitage is the head of Business Development for Lunarpages. Lunarpages provides quality web hosting from their US-based hosting facility. They offer a wide-range of services from Linux Virtual Private Servers and managed solutions to shared and reseller hosting plans.

Article Source: http://www.site-reference.com/articles/General/Key-Comparisons-of-Linux-vs-Windows-Servers.html

Different Types of Control Panel for Web Hosting

A company that provides web hosting services is called a web host, and their hosting plans provide data storage, connectivity, email, etc., everything needed to run a website. There are thousands of web hosting services, ranging from individuals to worldwide corporations, and many web hosts offer multiple web hosting plans to accommodate different size websites. Every Web host provides a Control panel that allows you to manage your hosting plan and website. A control panel is like the brain behind your Web site’s body. It gives you one place to look at to do everything you would ever need to do to your Web hosting account. You can create E-mail accounts, create FTP accounts, track statistical information and so much more.

Did you know that there are different types of control panels though? I do not think anybody can argue with the fact that the most used control panel software out there today is cPanel. There are other options out there, though. Some might be better, some might be worse depending on your needs. You cannot judge the quality of your Web host by the control panel alone, but it is an important piece to the web hosting Business.

Here are some of the most popular web hosting control panels

cPanel

The folks at the cPanel Web site say, "cPanel is designed for the end users of your system and allows them to control everything from adding / removing email accounts to administering MySQL databases." The fact of the matter is that they do that and so much more. Most often used on Linux based systems, cPanel provides support for over ten different flavors of Linux. There is no Windows or OSX versions yet. Their interface is clean, with more options and features than you could shake a stick at. It is easy to see why they are the number one control panel used today because of its many features and inexpensive price. It usually costs a hosting company $20/month per server. They do have several competitors chomping at the bit to take their space on the top of the mountain. cPanel used to have a demo control panel up for folks to test drive, however I could not find a trace of it on the cPanel Web site anymore.


Plesk

Plesk is available for both Linux and Windows Web hosting servers. This alone gives them a little advantage over cPanel. Their interface looks much like Windows XP. You have all the soft colors and big icons that you would ever need. I have to give them credit though, because it does look great. They have all the basic features that cPanel has as well. It is a more professional but also more expensive. Unlike cPanel, since it provides a Windows version, it is a nice option for hosts that offer both Windows and Linux hosting plans. Plesk also has other applications that integrate well into it like a website builder tool.

H-Sphere

Created by Positive Software, H-Sphere is yet another excellent control panel that you see web hosts use. It too provides support for Windows and Linux based machines. From complete automation to key functionalities, it has many features. Compared with Plesk and cPanel, though, it leaves you with wanting a little more. Perhaps in the next few versions it will be able to catch up. It is used fairly widely by Windows based hosts but is not as popular as Plesk.

Ensim

Ensim is yet another control panel that provides support for Windows and Linux alike. They say that it is for the management of any type of Web site. The interface is pretty enough, but it comes a little short compared with the options in some other clients.

DirectAdmin

DirectAdmin claims to be the control panel that is the easiest to use. They do have many features that the other control panels boast about. It appears though that they only support a few flavors of Linux and not Windows. The interface is very clean and organized, but lacks when it comes to some of the extra features that cPanel or Plesk could provide. It is a little less expensive then cPanel at usually $10/month.

Interworx

Interworx is another Linux only control panel. There is nothing wrong with this, because there are many more Linux based Web hosting servers out there today, Linux only control panels exclude all Windows hosting customers as potential customers. Just by looking through their Web master level features, I would say they deserve to be ranked at the top. One thing that I really like from them is their site usage snapshot. It gives you a chart to look at, right off the bat to see your upstreams and downstreams. The interface is clean, and everything is organized well.

Helm

Now we have seen a lot of different Linux only control panels, but what about a Windows only one? That is one thing that Helm provides to the end consumer. There are many customer features to go on and on about, but how does it feel once you get on the inside? It has the standard pretty interface, nothing new there. These control panels are built to be used over and over, so they have to be easy on the eyes. One thing that did get my attention is the ability to see your billing information inside the control panel. That is very nice indeed. Most control panels do not integrate in billing features. Hsphereis another one that does.

Hosting Accelerator

Hosting Accelerator is another Windows Web hosting server control panel. The end user features are very standard, and lacks of any shock and awe you might have seen with other clients out there. The interface on this control panel though is very busy. It looks as if they did not spend a lot of time laying out and organizing the functionality. Seeing how much stuff you can shove in front of may face is not a good way to make a first impression. For a geek, this might be nice. For somebody new to Web hosting though, this is a little overwhelming.

InsPanel

Yet another windows only web hosting server control panel. InsPanel hopes to offer a new look at the idea. There are many features to be listed, but none of them stick out. The control panel is well organized, with everything in it's place. An average product, but remember there is nothing wrong with that. It is not that widely used so finding expertise on itmight be hard.

CWIPanel

CWIPanel has a message on their front page saying that you can "unleash the power of your Windows server!" Now can you really? Let us have a look. The list of features look much like the other Windows only control panels. However they did not have a control panel demo for me to look at, so there really is not much else to be said. From what I've seen though they look to be about average as it goes for Windows server management. And like the last couple of products their market share is small.

The basic features and functions of a control panel that are standard are listed below. When evaluating any control panel this should be a set of features to examine.
* Mail Manager
* Parked Domains
* Addon Domains
* FTP Manager
* File Manager
* Disk Usage
* Backup
* Password Protect Directories
* Subdomain
* MySQL Database Manager
* PostgreSQL Database Manager
* MS SQL Manager(Windows only)
* Redirects
* Frontpage Extensions
* Web/FTP Stats
* Raw Access Logs
* Raw Log Manager
* Error Log
* Subdomain Stats
* CGI Center
* Cron Jobs
* Network Tools
* MIME Types
* Hot Link Protection
* Index Manager
* IP Deny manager
* SSL Manager
* Fantastico(Linux only. This is a set of free scripts or programs you can use to add common functionality to your website.)

In the end, I believe that cPanel is the best control panel out there today still. It is the most basic and user friendly control pane. For Windows hosting, I would pick Helm as my favorite.

Without control panels we would still be doing all these things with Linux commands and paper clips. As the operating system made life with a computer easier, the control panel makes life with a Web hosting account a more pleasant experience.

There are many factors that play into purchasing a Web hosting account, but Web hosting company is only as good as the control panel behind it. By looking at these above examples, you should be able to judge which ones might offer you the best results.

Rodney Ringler is President of Advantage1 Web Services, Inc., which owns a network of Web Hosting Informational Websites including HostChart.com, ResellerConnection.com, FoundHost.com,ResellerForums.com, and [url=http://www.hostingknowledge.net]HostingKnowledge.net[url]. Rodney has over 15 years industry experience from programming to internet marketing.

Article Source:http://www.site-reference.com/articles/General/Different-Types-of-Control-Panel-for-Web-Hosting.html

Linux servers: Do you understand the difference?

First of all, some people are worried that they will not be able to use Linux hosting because they run Windows on their PCs. However, what operating system you run on your own PC is irrelevant to which web hosting environment you can use, because the latter is run remotely on a web server, where your website files will be uploaded.

Linux and Microsoft Windows are two different operating systems. Windows is a well-known household name and does not require much introduction. Linux is a new version of the Unix operating system. Both these operating systems make excellent environments for web hosting. However, there are some differences between them.

To help you decide whether Linux or Windows hosting is better for you, we look at the following elements:

Cost

Linux is known as an "open source" operating system. i.e. there is no licensing fees to pay. Therefore, compared to Windows, Linux is very cheap. Starting with Windows XP, Microsoft has begun enforcing software activation. This means that a single copy of Windows can only be installed on one computer. With Linux, once you own a copy, you are free to install it as many times as you wish on any number of computers.

Reliability

Linux is reputed to be very stable and reliable. This means that a Linux server is much less likely to crash than a Windows server. Subsequently, a Linux server will mean more 'up time' for your website.

Experience

Linux has many more years of experience than Windows in hosting.

Speed

There is no real difference in speed between Linux and Windows, but Linux is slightly faster in processing basic web pages.

Functionality

Windows support ASP (Active Server Pages), a Microsoft programming/scripting language, which allows you to build dynamically database-driven web pages by connecting to a Microsoft database such as SQL Server or Access. Linux does not support ASP nor Microsoft databases, but uses MySQL database instead.

If you use Microsoft Frontpage to create your website, it doesn't mean that you have to choose Windows hosting. All Linux accounts come free with Frontpage extensions, which allow you to upload your Frontpage website to your web space on a Linux server.

Scripts

There are many CGI programs available on the Internet. The majority of these are Perl scripts and have been developed on Linux / Unix web servers. So they tend to install more smoothly and operate more reliably on a Linux server. Moreover, many Perl scripts are downloadable from the Internet free of charge.

To summarise, most users find that Linux hosting is easier to use, more reliable, provides free, open source software and is much cheaper than Windows hosting. So unless you particularly need to use Windows specific features such as ASP and an Access database, it is probably a better choice to choose Linux over Windows. For more information on Linux hosting, visit .

Matt Bacak became "#1 Best Selling Author" in just a few short hours. Recent Entrepreneur Magazine’s e-Biz radio show host is turning Authors, Speakers, and Experts into Overnight Success Stories.

Article Source: http://www.site-reference.com/articles/General/Linux-servers-Do-you-understand-the-difference.html

Choosing a Web Application Programming Language

Among computer programming languages, there is no single application that does all the different things, in all the different ways, that programmers need. Because of the great number and diversity of programming tasks, choosing a web application programming language has become a critically important step.
Fortunately, there is continuing development in the field, and today the number of capable applications is expanding. Database-driven websites can now be built with such varied scripting languages as PHP, ASP.NET, JSP, Perl and Cold Fusion, which fall into two main groups – proprietary and open-source. In the foregoing examples, all are open-source except the proprietary Cold Fusion and ASP.NET.

PHP pros and cons

As an open-source application, PHP was developed (and continues to be developed) by an active, engaged, international community of users. This is a great example of strength in numbers. Another strength of PHP, of course, is cost. It’s free.

Because it is free, open-source software, PHP can be compiled and “tweaked” for most any operating system. In fact, there are even pre-compiled versions available for the majority of operating systems, both commercial and freeware.

You can also relax a bit more with PHP, as you can count on its being updated and improved more often than other languages. In an open, collaborative and non-hierarchical environment, suggested improvements can be adopted quickly. Again, this is a strength that is derived from its open-source status.
PHP is a mature application, though younger than Perl, for instance. However, it does have a few weaknesses that may be minor annoyances to some, but deal-killers for other programmers. Its lack of event-based error handling means that your workflow may be interrupted by a sudden jump to a special error-handling section. Finally, its lack of case sensitivity for its function names will run afoul of many professionals’ long-established work habits.

ASP.NET = flexibility

ASP.NET is arguably the most flexible of the programming tools, and “plays nice” with both scripted languages (VBScript, Jscript, Perlscript, Python) and compiled ones (VB, C, Cobol, Smalltalk, Lisp). This flexibility is also apparent in the application’s compatibility with such development environments as WebMatrix, VisualStudio.NET and Borland’s Delphi and C++ Builder.

On the downside, ASP.NET is a memory hog and somewhat slower to execute than its competitors. For this kind of application, that can be a serious weakness – on the Internet, it may be called upon to scale to thousands of users per second. Its memory usage can easily become problematic on your server.

JSP (Java Server Pages)

JSP is an open-source scripting language supported by Oracle, so developers can use Oracle JDeveloper to create JSP pages. This can be accomplished without having to learn the Java language first, relieving you of the task of writing Java scriptlets. It is also extensible, allowing Java tag library developers to outfit it with simple tag handlers that use a new, simpler, cleaner tag extension Application Programming Interface (API).

JSP has integrated the JavaServer Pages Standard Tag Library (JSTL) expression language, and it now supports functions. This greatly eases the creation and maintenance of JSP pages.

The most significant disadvantage of JSP is that there is no XML-compliant version of JSP comments, forcing developers to use client-side, HTML/XML-style comments (or embed Java comments). Depending, once again, on your particular needs, this may or may not be sufficient reason to eschew the use of JSP.

A shiny Perl

An open-source language that is both mature and powerful, Perl offers web developers about every tool they need to create dynamic web pages. Like other open-source languages, it benefits tremendously from ongoing development, and the support offered by its international community of users is second to none.

Perl is particularly good for creating single websites quickly, cleanly and elegantly. If it has a major identifiable weakness, it is that it may be unnecessarily complicated. If you are not comfortable switching gears among a variety of syntaxes, it may not be the best tool for you.

The real ColdFusion

Originally built by Allaire and then purchased by Macromedia, ColdFusion is now owned by Adobe. It is very easy to get started building websites with it, and you can deploy powerful web applications and services with less training – and in less time, using fewer lines of code – than with PHP and JSP.
ColdFusion is now at version 8, although many programmers are still using the various iterations of ColdFusion MX, variously known as ColdFusion MX 6, ColdFusion MX 6.1, ColdFusion MX 7, ColdFusion MX 7.0.1, ColdFusion MX 7.0.2, ColdFusion 7, ColdFusion 7.0.1 and ColdFusion 7.0.2. However, ColdFusion MX to ColdFusion 8 is a valid upgrade path. In fact, upgrading to ColdFusion 8 is supported for the two most recent previous major releases of the program.
ColdFusion supports most major databases, from Oracle and Sybase to Microsoft SQL Server and Access. With its own markup language (CFML) and tags to connect to the database, it is relatively easy to create forms and dynamic pages. It also has all the benefits of CGI for today’s broadbased developers. Its weaknesses are few, but expert users will caution that it is probably the most difficult to maintain.

Bottom line

Secure and scalable web applications are important to every business with an Internet presence (which is every business today, isn’t it?) and can directly affect productivity, sales, reputation and profits. If you want to develop a web application and do not have the expertise in-house, any number of reputable web development firms can help you determine the right tools for your task.

Whether your application development happens in-house or with outside assistance, it is important that management understands the basics. You don’t have to become a programmer, of course, but to make good business decisions you do need to know what these powerful tools are all about. As long as you learn enough to help make the appropriate decision, you can leave the actual coding and compiling to the experts.

Moonrise Productions is a custom web design company specializing in custom web development and design. Whether you're in San Francisco, New York or you need social network web design – we're here to help and we have the team to do it right.