I'm looking for the concept to spawn a process such that: it has only access to certain libraries/APIs it cannot acess the file system or only specific parts it can do least harm should malicious code run in it This concept is known as sandbox or jail. It is required to do this for each major Operating system (Windows, MacOSX and Li...
How do I check from within my NSIS installer if my installer has the blocked option in preferences on it. Even if you know of a way to check this without NSIS, please let me know so I can script it myself. See this question to find out more info about this blocked option. ...
Silverlight works on client side so putting any sensitive data like connection strings, passwords etc. in the code seems not to be a good thing. I want to build whole web app in Silverlight doing lots of authorization and database quering things. How to make it safe? Any tips&tricks and what things should I avoid? ...
Update: I didn't know I would be getting too many replies so fast. I can provide more details. It is definitely for use within the company. I was looking for some info on whether I should be more careful or anything to watch out for... My boss is asking me to put some tracking info on what users do with their application. It is not abou...
A few years ago I developed a web app for which we wanted to make sure the users weren't sharing credentials. One of the things we decided to to, was only allow the user to be logged in from one computer at a time. The way I did this, was to have a little iframe ping the server every N seconds; as long as the server had a heartbeat for ...
If you want a cryptographically strong random number in Java, you use SecureRandom. Unfortunately, SecureRandom can be very slow. If it uses /dev/random on Linux, it can block waiting for sufficient entropy to build up. How do you avoid the peformance penalty? Has anyone used Uncommon Maths as a solution to this problem? Can anybody co...
Hello all, Is it possible to impersonate a user without supplying user name/password? Basically, I'd like to get the CSIDL_LOCAL_APPDATA for a user (not the current one) using the ShGetFolderPath() function. All I currently have is a SID for that user. Thanks in advance. ...
Anyone familiar with specific security issues in the current version of DotNetNuke? (I've already checked out their site, securityfocus, etc...) I've reopened the question, since my client developed their system using DotNetNuke - hence it is a programming question. I just need to know some issues regarding this platform. ...
The CSRF prevention built in to Rails is causing some problems for some automated load testing we are doing, and I want to turn it off for the duration of the process. How do I do this? ...
What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ? I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try wel...
Firstly: this may be a not-programming-related-question. However: As a programmer who is very concerned about security, this is a question which weighs heavily on my mind, and directly affects my activities as a programmer. The weak point in my systems is nothing about the systems themselves, but rather the users. So, what I nee...
I'm going over some client code I've inherited for doing secure communication over HTTPS, and it seems that it's not checking the common name in the server certificate (eg. 'CN = "example.com"' against the actual URL that's being requested. This is probably deliberate, since our client app is required to talk to various environments, so ...
I need to write code that picks up PGP-encrypted files from an FTP location and processes them. The files will be encrypted with my public key (not that I have one yet). Obviously, I need a PGP library that I can use from within Microsoft Access. Can you recommend one that is easy to use? I'm looking for something that doesn't require ...
I have written an assembly I don't want other people to be able to use. My assembly is signed with a strong name key file, but how do I secure the code so that only my other assemblies signed with the same key can call the members in this assembly? ...
I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string with single quotes. Here's the code: sSanitizedInput = "'" & Replace(sInput, "'", "''") ...
Hi When i try to configure security through the admin console of Websphere it just hangs. Its at the last step of the below 4 steps Step 1: Specify extent of protection Step 2: Select user repository Step 3: Configure user repository Step 4: Summary Here are the extracts from my console [26/09/08 13:50:56:539 IST] 0000001f Ser...
I'm trying to grok the purpose of .NET's SecureString. From MSDN: An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted...
I'm looking to write a config file that allows for RESTful services in WCF, but I still want the ability to 'tap into' the membership provider for username/password authentication. The below is part of my current config using basicHttp binding or wsHttp w/out WS Security, how will this change w/ REST based services? <bindings> <wsHt...
I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site. On some machines, you get an IE "yellow bar" when trying to open the f...
I've heard that the automotive industry has something called MISRA C. What are the relevant standards for other high reliability/availability/security industries, such as Space Aircraft Banking/financial Automotive Medical Defense/Military ??? ...