DOCSLIB.ORG

Securing Enterprise Web Applications at the Source: an Application Security Perspective

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securing Enterprise Web Applications at the Source: an Application Security Perspective Securing Enterprise Web Applications at the Source: An Application Security Perspective Author: Eugene Lebanidze [email protected] EXECUTIVE SUMMARY Purpose: This paper considers a variety of application level threats facing enterprise web applications and how those can be mitigated in order to promote security. Evidence shows that perhaps as many as sixty percent of attacks on enterprise web applications are facilitated by exploitable vulnerabilities present in the source code. In this paper we take the approach of examining the various threats specific to the application layer along with their corresponding compensating controls. Threats specific to each of the tiers of the n- tiered enterprise web application are discussed with focus on threat modeling. Compensating controls are addressed at the architecture, design, implementation and deployment levels. The discussion focuses around the core security services, namely confidentiality, integrity, authentication, authorization, availability, non-repudiation and accountability. The paper examines how these core security services are supported in the J2EE and .NET frameworks. Recommendations and standards from various organizations are considered in this paper (e.g. OWASP, NIST, etc.) We also recognize that development and deployment of a secure enterprise web-based application is dependent upon the organization’s enterprise security architecture (ESA) framework. Therefore, we map some elements of our discussion for security architecture and technology issues to the five rings of the enterprise security architecture model, particularly in the context of the Zachman Framework enterprise architecture (EA). While most of the web application security threats and mitigations discussed fall in rings four and five, we tie the local risk to the enterprise risk in ring one of the ESA. In this discussion we draw from the NIST special publications SP800-37 (“Guide for the Security C&A of Federal Information Systems) [20], SP800-64 (“Security Considerations in the Information System Development Life Cycle”) [16], SP800-53 (“Recommended Security Controls for Federal Information Systems”) [15], and SP800-26 (“Security Self- Assessment Guide for Information Technology Systems”) [14]. Security Criteria: The security criteria for evaluation of web application security revolve around the core security services collectively known as CI4A (Confidentiality, Integrity, Authentication, Authorization, Availability, Accountability). Non-repudiation is another security service commonly tied with accountability. In the context of enterprise web applications, confidentiality is concerned with the privacy of information that passes through or is stored inside the web application. Integrity ensures that the data used is free from deliberate or accidental modification. Authentication addresses verification of identities. Authentication can also be thought of in the context of source integrity. Authorization focuses on access rights to various application subsystems, functionality, and data. Availability, an often ignored aspect of security, is nevertheless an important metric for the security posture of the web application. Many attacks that compromise application availability exploit coding mistakes introduced at the application source level that could 2 have been easily avoided. Non-repudiation addresses the need to prove that a certain action has been taken by an identity without plausible deniability. Accountability, tied with non-repudiation, allows holding people accountable for their actions. There are a variety of known vulnerabilities that can be exploited in web applications to compromise the core security services outlined above (CI4A). While a provision of a complete taxonomy of attacks would be impractical, if not impossible, especially in light of an ever increasing ingenuity exhibited by hackers (not to mention a growing arsenal of hacking tools), it makes very good sense to consider the classes of vulnerabilities that a web application can contain that could be exploited by attackers to compromise CI4A. Having those classes of vulnerabilities in mind helps structure an assessment of application security and more importantly helps focus security analysis across all stages of application development, including requirement specification, architecture, design, implementation, testing, etc. One organization took the initiative to provide the top ten classes of vulnerabilities that plague modern enterprise web applications that have the greatest impact on CI4A. The Open Web Application Security Project (OWASP) has recommended the top ten list of application level vulnerabilities in web applications that make for a very useful security criteria compliance metrics. The top ten classes of vulnerabilities outlined by OWASP are: unvalidated input, broken access control, broken authentication and session management, cross site scripting (XSS) flaws, buffer overflows, injection flaws, improper error handling, insecure storage, denial of service and insecure configuration management [24]. Each of these is discussed in great detail subsequently in this paper. We also consider the various security criteria for certification and accreditation (C&A), as outlined in NIST SP800-37 (“Guide for the Security C&A of Federal Information Systems”) as they apply to development of enterprise web-based application. Certification analyzes risks local to the web application, such as potential vulnerabilities present in the source code and the corresponding compensating controls (Rings 4-5 of the ESA). On the other hand, accreditation focuses on enterprise level risks that may result from vulnerabilities found in a web-based enterprise application. Additional security criteria can be gathered from SP800-53 (“Recommended Security Controls for Federal Information Systems”) and SP800-26 (“Security Self-Assessment Guide for Information Technology Systems”). Secure enterprise web-based applications and their supporting technologies should follow the recommended security controls in SP800-53. Scope and Limitations: One of the most prevalent concepts in security is the defense in depth principle. This principle dictates that there should be multiple levels of protection to protect critical assets. The focus of this paper is on security of enterprise web applications from the perspective of application security. There are certainly other perspectives from which web application security could and should be evaluated. For instance, network security and host security also play a critical role. However, this paper focuses on application security because of the special significance that this security layer has come to play. Many attacks on corporate applications come form inside the network, thus rendering 3 such protection mechanisms as firewalls useless. Additionally, intrusion detection techniques will not work when the problem is poor input validation in the application. The point is that network and host security can often help fight the symptoms of the problem where the source of the problem is in the application source. This paper also discusses the architecture, design and deployment considerations that have security implications. It is often suggested that security is a process and not a product. We certainly believe that to be true since most secure software is the result of security aware software development processes where security is built in and thus software is developed with security in mind. In other words, throughout the various stages of the Software Development Lifecycle (SDLC), software project members are responsible for performing security related activities and producing/consuming security artifacts in order to provide a more structured approach to application security. Automation of source code analysis for security vulnerabilities should also be applied as part of any secure development process. We are omitting the discussion of security process in this paper due to time constraints, but it is implied that developers who apply secure coding techniques that we describe in this paper when developing secure enterprise web-based applications should operate in the context of a secure software development process. To learn more about integrating security in the SDLC please refer to the Comprehensive Lightweight Application Security Process (CLASP) authored by John Viega and available free from Secure Software (www.securesoftware.com) [11]. A secure development process should also incorporate C&A (NIST SP-800-37), various process level security controls (NIST SP-800-53) and contain various metrics for security self- assessment described in NIST SP-800-26. Additionally, a secure process will be part of the enterprise security architecture where both local risk (Rings 4-5) and enterprise risks (Ring 1) are mitigated. Summary of Conclusions: We conclude that J2EE and .NET platforms both have fairly comparable security models that provide extensive support for all of the core security services. Throughout this paper, as we discuss many of the specific compensating controls, we very often come back and tie our discussion to the key security principles. We cannot emphasize enough how critical it is for all members of the software project team to be familiar with and follow these principles because only solutions that comply with these principles will have any chance of providing true protection for the core security services. We introduced threat modeling as a critical ingredient for development of secure
Load more

Recommended publications
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)
    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
    [Show full text]
  • A Solution to Php Code Injection Attacks and Web
    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
    [Show full text]
  • An Empirical Study of Web Resource Manipulation in Real-World Mobile
    An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, and Min Yang, Fudan University; Xiaofeng Wang, Indiana University, Bloomington; Long Lu, Northeastern University; Haixin Duan, Tsinghua University https://www.usenix.org/conference/usenixsecurity18/presentation/zhang-xiaohan This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications Xiaohan Zhang1,4, Yuan Zhang1,4, Qianqian Mo1,4, Hao Xia1,4, Zhemin Yang1,4, Min Yang1,2,3,4, Xiaofeng Wang5, Long Lu6, and Haixin Duan7 1School of Computer Science, Fudan University 2Shanghai Institute of Intelligent Electronics & Systems 3Shanghai Institute for Advanced Communication and Data Science 4Shanghai Key Laboratory of Data Science, Fudan University 5Indiana University Bloomington , 6Northeastern University , 7Tsinghua University Abstract built into a single app. For the convenience of such an integration, mainstream mobile platforms (including Mobile apps have become the main channel for access- Android and iOS) feature in-app Web browsers to run ing Web services. Both Android and iOS feature in- Web content. Examples of the browsers include Web- app Web browsers that support convenient Web service View [9] for Android and UIWebView/WKWebView for integration through a set of Web resource manipulation iOS [8, 10]. For simplicity of presentation, we call them APIs. Previous work have revealed the attack surfaces of WebViews throughout the paper.
    [Show full text]
  • A Study of Android Application Security
    A Study of Android Application Security William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri Systems and Internet Infrastructure Security Laboratory Department of Computer Science and Engineering The Pennsylvania State University enck, octeau, mcdaniel, swarat @cse.psu.edu { } Abstract ingly desire it, markets are not in a position to provide security in more than a superficial way [30]. The lack of The fluidity of application markets complicate smart- a common definition for security and the volume of ap- phone security. Although recent efforts have shed light plications ensures that some malicious, questionable, and on particular security issues, there remains little insight vulnerable applications will find their way to market. into broader security characteristics of smartphone ap- In this paper, we broadly characterize the security of plications. This paper seeks to better understand smart- applications in the Android Market. In contrast to past phone application security by studying 1,100 popular studies with narrower foci, e.g., [14, 12], we consider a free Android applications. We introduce the ded decom- breadth of concerns including both dangerous functional- piler, which recovers Android application source code ity and vulnerabilities, and apply a wide range of analysis directly from its installation image. We design and exe- techniques. In this, we make two primary contributions: cute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. We design and implement a Dalvik decompilier, • Our analysis uncovered pervasive use/misuse of person- ded. ded recovers an application’s Java source al/phone identifiers, and deep penetration of advertising solely from its installation image by inferring lost and analytics networks.
    [Show full text]
  • Creating Dynamic Web-Based Reporting Dana Rafiee, Destiny Corporation, Wethersfield, CT
    Creating Dynamic Web-based Reporting Dana Rafiee, Destiny Corporation, Wethersfield, CT ABSTRACT OVERVIEW OF SAS/INTRNET SOFTWARE In this hands on workshop, we'll demonstrate and discuss how to take a standard or adhoc report and turn it into a web based First, it is important to understand SAS/INTRNET software and its report that is available on demand in your organization. In the use. workshop, attendees will modify an existing report and display the results in various web based formats, including HTML, PDF Three components are required for the SAS/INTRNET software and RTF. to work. INTRODUCTION 1) Web Server Software – such as Microsoft’s Personal To do this, we’ll use Dreamweaver software as a GUI tool to Web Server/Internet Information Services, or the create HTML web pages. We’ll use SAS/Intrnet software as a Apache Web Server. back end tool to execute SAS programs with parameters selected on the HTML screen presented to the user. 2) Web Browser – Such as Microsoft’s Internet Explorer or Netscape’s Navigator. Our goal is to create the following screen for user input. 3) SAS/INTRNET Software – Called the Application Dispatcher. It is composed of 2 pieces. o SAS Application Server – A SAS program on a Server licensed with the SAS/INTRNET Module. o Application Broker – A Common Gateway Interface (CGI) program that resides on the web server and communicates between the Browser and the Application Server. These components can all reside on the same system, or on different systems. Types of Services 1) Socket Service: is constantly running, waiting for incoming Transactions.
    [Show full text]
  • SOAP Plug-In
    User Guide SOAP Plug-in Release 5.0 © 2010 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing, Avaya Inc. can assume no liability for any errors. Changes and corrections to the information in this document may be incorporated in future releases. Documentation disclaimer Avaya Inc. is not responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. Link disclaimer Avaya Inc. is not responsible for the contents or reliability of any linked Web sites referenced elsewhere within this Documentation, and Avaya does not necessarily endorse the products, services, or information described or offered within them. We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages. License USE OR INSTALLATION OF THE PRODUCT INDICATES THE END USER'S ACCEPTANCE OF THE TERMS SET FORTH HEREIN AND THE GENERAL LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE AT http://support.avaya.com/LicenseInfo/ ("GENERAL LICENSE TERMS"). IF YOU DO NOT WISH TO BE BOUND BY THESE TERMS, YOU MUST RETURN THE PRODUCT(S) TO THE POINT OF PURCHASE WITHIN TEN (10) DAYS OF DELIVERY FOR A REFUND OR CREDIT. Avaya grants End User a license within the scope of the license types described below. The applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of licenses or units of capacity is specified in the Documentation or other materials available to End User.
    [Show full text]
  • Pushing Data in Both Directions with Websockets, Part 2
    Menu Topics Archives Downloads Subscribe Pushing Data in Both CODING Directions with WebSockets, Part 2 Pushing Data in Both Directions Message Processing Modes with WebSockets, Part 2 Path Mapping Deployment of Server Using WebSockets’ long-lasting Endpoints connections to build a simple chat app The Chat Application by Danny Coward Conclusion January 1, 2016 Learn More In Part 1 of this article, I introduced WebSockets. I observed that the base WebSocket protocol gives us two native formats to work with: text and binary. This works well for very basic applications that exchange only simple information between client and server. For example, in the Clock application in that article, the only data that is exchanged during the WebSocket messaging interaction is the formatted time string broadcast from the server endpoint and the stop string sent by the client to end the updates. But as soon as an application has anything more complicated to send or receive over a WebSocket connection, it will find itself seeking a structure into which to put the information. As Java developers, we are used to dealing with application data in the form of objects: either from classes from the standard Java APIs or from Java classes that we create ourselves. This means that if you stick with the lowest-level messaging facilities of the Java WebSocket API and want to program using objects that are not strings or byte arrays for your messages, you need to write code that converts your objects into either strings or byte arrays and vice versa. Let’s see how that’s done.
    [Show full text]
  • Opentext Product Security Assurance Program
    The Information Company ™ Product Security Assurance Program Contents Objective 03 Scope 03 Sources 03 Introduction 03 Concept and design 04 Development 05 Testing and quality assurance 07 Maintain and support 09 Partnership and responsibility 10 Privavy and Security Policy 11 Product Security Assurance Program 2/11 Objective The goals of the OpenText Product Security Assurance Program (PSAP) are to help ensure that all products, solutions, and services are designed, developed, and maintained with security in mind, and to provide OpenText customers with the assurance that their important assets and information are protected at all times. This document provides a general, public overview of the key aspects and components of the PSAP program. Scope The scope of the PSAP includes all software solutions designed and developed by OpenText and its subsidiaries. All OpenText employees are responsible to uphold and participate in this program. Sources The source of this overview document is the PSAP Standard Operating Procedure (SOP). This SOP is highly confidential in nature, for internal OpenText consumption only. This overview document represents the aspects that are able to be shared with OpenText customers and partners. Introduction OpenText is committed to the confidentiality, integrity, and availability of its customer information. OpenText believes that the foundation of a highly secure system is that the security is built in to the software from the initial stages of its concept, design, development, deployment, and beyond. In this respect,
    [Show full text]
  • Modern Web Application Frameworks
    MASARYKOVA UNIVERZITA FAKULTA INFORMATIKY Û¡¢£¤¥¦§¨ª«¬­Æ°±²³´µ·¸¹º»¼½¾¿Ý Modern Web Application Frameworks MASTER’S THESIS Bc. Jan Pater Brno, autumn 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or ex- cerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bc. Jan Pater Advisor: doc. RNDr. Petr Sojka, Ph.D. i Abstract The aim of this paper was the analysis of major web application frameworks and the design and implementation of applications for website content ma- nagement of Laboratory of Multimedia Electronic Applications and Film festival organized by Faculty of Informatics. The paper introduces readers into web application development problematic and focuses on characte- ristics and specifics of ten selected modern web application frameworks, which were described and compared on the basis of relevant criteria. Practi- cal part of the paper includes the selection of a suitable framework for im- plementation of both applications and describes their design, development process and deployment within the laboratory. ii Keywords Web application, Framework, PHP,Java, Ruby, Python, Laravel, Nette, Phal- con, Rails, Padrino, Django, Flask, Grails, Vaadin, Play, LEMMA, Film fes- tival iii Acknowledgement I would like to show my gratitude to my supervisor doc. RNDr. Petr So- jka, Ph.D. for his advice and comments on this thesis as well as to RNDr. Lukáš Hejtmánek, Ph.D. for his assistance with application deployment and server setup. Many thanks also go to OndˇrejTom for his valuable help and advice during application development.
    [Show full text]
  • Java Web Application with Database Example
    Java Web Application With Database Example Amerindian Verne sheafs very spaciously while Torrence remains blond and suprasegmental. Udall herdialyses strappers her sayings underselling afore, too shouldered furtively? and disciplinal. Collins remains pigeon-hearted: she barbarises Java and with web delivered to tomcat using an application server successfully authenticated Our database like to databases because docker container environment. Service to mask the box Data JPA implementation. Here is one example application by all credits must create. Updates may also displays in web delivered right click next thing we are looking for creating accounts, please follow this example application depends on. In role based on gke app running directly click add constraint public web application example by a middleware between records in your application for more than other systems. This is maven in java web framework puts developer productivity and dispatches to learn more? Now we tie everything is web application example? This file and brief other dependency files are provided anytime a ZIP archive letter can be downloaded with force link provided at the hen of this tutorial. Confirming these three developers to let see also with database access, jstl to it returns the same infrastructure. What database web container takes care of java and examples. As applications with database support plans that connect to implement nested class names and infrastructure to display correctly set outo commit multiple user interface for. The wizard will ask you to select the schema and the tables of your database and allows you to select the users and groups tables, run related transactions, the last step is to create XML file and add all the mappings to it.
    [Show full text]
  • The OWASP Application Security Program Quick Start Guide
    Quick Start Guide The OWASP Application Security Program Quick Start Guide Five Days to Setting Up an Application Security Program Quickstart Guide About this Guide This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life- cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application. The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to: 1. The number of vulnerabilities present in an application 2. The time to fix vulnerabilities 3. The remediation rate of vulnerabilities 4. The time vulnerabilities remain open The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas. Audience The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.
    [Show full text]
  • Attacking AJAX Web Applications Vulns 2.0 for Web 2.0
    Attacking AJAX Web Applications Vulns 2.0 for Web 2.0 Alex Stamos Zane Lackey [email protected] [email protected] Blackhat Japan October 5, 2006 Information Security Partners, LLC iSECPartners.com Information Security Partners, LLC www.isecpartners.com Agenda • Introduction – Who are we? – Why care about AJAX? • How does AJAX change Web Attacks? • AJAX Background and Technologies • Attacks Against AJAX – Discovery and Method Manipulation – XSS – Cross-Site Request Forgery • Security of Popular Frameworks – Microsoft ATLAS – Google GWT –Java DWR • Q&A 2 Information Security Partners, LLC www.isecpartners.com Introduction • Who are we? – Consultants for iSEC Partners – Application security consultants and researchers – Based in San Francisco • Why listen to this talk? – New technologies are making web app security much more complicated • This is obvious to anybody who reads the paper – MySpace – Yahoo – Worming of XSS – Our Goals for what you should walk away with: • Basic understanding of AJAX and different AJAX technologies • Knowledge of how AJAX changes web attacks • In-depth knowledge on XSS and XSRF in AJAX • An opinion on whether you can trust your AJAX framework to “take care of security” 3 Information Security Partners, LLC www.isecpartners.com Shameless Plug Slide • Special Thanks to: – Scott Stender, Jesse Burns, and Brad Hill of iSEC Partners – Amit Klein and Jeremiah Grossman for doing great work in this area – Rich Cannings at Google • Books by iSECer Himanshu Dwivedi – Securing Storage – Hackers’ Challenge 3 • We are
    [Show full text]