I am currently working on a project in which we are creating a large public website for my organization. This site is going to allow out clients to register and log in to obtain sensitive personal information. From experience I know some of the basics like requiring a complex password and requiring an email address for a password reset ...
I am in the process of studying for the 70-536 .NET Framework - Application Development Foundation Exam, as I have been programming .net for many years, this should not be hard! However I am having to learn about “Code Access Security” (CAS), As I have never had a need to use or configure it, I was wondering if anyone else has found a ...
When I navigate to: http://localhost:3000/users/1 I get a page that says simply: Unknown action No action responded to show. Actions: create, current_user, logged_in?, login_required, new, and redirect_to_target_or_default Isn't this a security risk since it tells users of my app exactly which methods are available in my User...
I'm writing a report and presentation for my college titled "Protection runtime program in RAM. Examples of work with the protected program." I'm using Linux. I divided my report into two parts: Description of technology managed RAM OS Linux - Allocated memory for applications - Protection stack for one application from other applica...
I've been arguing with a co-worker about how necessary it is to wipe or destroy the hard disks that were used for storing the sources and are replaced with bigger ones or discarded. His point is that no piece of source code exposed to a third party gives that party any competitive advantage. My point is that it only takes ten minutes to...
Hi all, I believe this is more a question about best practices and design than anything else. I tried searching for similar queries regarding this but couldn’t find any. I actually found the Row Level Security with Entity Framework but I believe the context here is a bit different. I will try to explain my scenario first: I have a .ne...
Hi all, I've been struggling with this issue for a little while now. Found several posts about it but none solved my problem. It will probably have something to do with the fact that a SecurityContext is boud to a specific Thread but even then I do not know how to solve it: Consider following code to retrieve the user that was logged i...
Background A html page will ask the user to type their username and password. These are credentials for a MySQL database (i.e. they will be used in JDBC connection so that no password is physically stored in the files). On submit a servlet will be called which tries to connect to the database. If it can, the credentials are correct and...
I have an applet which connects to a SFTP server to download file. The login credentials need to be included within the applet so that user will only select the download location and the download process will start. Login credentials are dynamic based on some business logic. Now I need to decide the approach to pass the dynamic login ...
I have a WCF application that is using Windows Authentication. So a Windows Principal object is what I will find in the System.Threading.Thread.CurrentPrincipal() property. That's is all fine. However, I also have a custom principal object that is used for finer grained authorizations and auditing. This is a domain user, not a windows us...
It would be very useful to have feedback on the various API and services that let you bill the customers, so it's possible to compare : Security; Quality of API; Commercial reliability; Number of languages that can use it; General usage of them; Ease of set up; Economic price; Technical price. I thinking here of course of Paypal, Goo...
I need to implement SOAP WS-Security using TimeStamp. Soap header should have Timestamp and expiration time and message should expire if it exceeds Expiration time. I went through MSDN link here and here. These links discuss about specifying custom properties (Created & Expires) added to header and initialized before sending any reque...
Clients need to know who can do what in an application. When someone leaves a company or joins it or roles change, application permissions get lost in the shuffle. They aren't visible, so they aren't noticed. How can we best represent this to our users so they can see and take action on bad permissions or ACLs? Is it better to show ...
I'm having a really frustrating error trying to secure an ASP.NET application using the WindowsTokenRoleProvider. For a particular user I'm seeing the following ProviderException thrown: API failed due to error 'Catastrophic failure As I said, this only seems to happen for a particuar user, I seem to be able to access the site fine a...
I need to let an aspx.cs file run code to enumerate the contents of a directory on another server altogether. Basically, use a Directory object, etc. Here is what I can piece together (I'm really not a network rights guy at all, so this is all confusing to me.) When a user loads my aspx page, that page, code behind, is actually runnin...
What would be the best way to secure .net web services used by a flex application (both desktop and browser) that requires login? I thought about requesting the user and password in every method of the web service, and having them stored as variables in the flex app, but I don't feel like this is the most elegant way. suggestions? tha...
I have seen a lot of upload forms hacked, and some had some really good security checks of the file being uploaded (at least I think so), but still somebody managed to upload a PHP file. I was wondering: is there is a way to upload a file in the uploads folder that has 777 permissions? I am thinking of using HTTP PUT. ...
Hi All, I've got a number of utilities that run on the same machine as my IIS webserver. What I'm trying to do is allow a web page to instantiate an executable. If I use Process.Start() the process launches but obviously as the same user as the webserver so it can't interact with the desktop. For 99% of the apps, this isn't a problem. ...
I'm calling the Advapi32.dll LsaEnumerateAccountRights function having a policy handle from LsaOpenPolicy and an account SID from LookupAccountName. However, try as I might, I'm always getting back 0xC0000034 which after translation by LsaNtStatusToWinError gives me "The file referenced cannot be found." Which isn't a whole lot of good...
Consider this T-SQL: CREATE USER my_test_user WITHOUT LOGIN; SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name(); EXECUTE AS USER = 'my_test_user' WITH NO REVERT; SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name(); I'm looking at using these accounts WITHOUT LOGIN for auditing purposes. Basically, my "get...