Java 1.5 added an enhancement to support signature timestamps. The idea, as far as I can tell, is that signed jar files should not become invalid just because the code signing certificate has expired, as long as the files were signed while the certificate was valid. In theory, this means we do not have to re-sign and redeploy our appli...
I have been getting a number of attacks on my website lately, with a User-Agent of NV32ts. They all are some variation of the following injection attacks against a querystring variable (where 99999 represents a valid querystring value, the attack is appended to the value): (For convenience I have urldecoded the following attacks) 9999...
I have a customer that has a SQL database on a hosted server; call the db "myDatabase". The hosting co. has locked down object explorer - I can't myDatabase thed database listed (I see tempdb and master). However, if I "use myDatabase" and then "select * from myTable", all works fine. Since we have no access to object explorer, I can'...
We are looking for a Wireshark-like tool to use on the iPhone to test a 3rd party application before partnering with the 3rd party. Any suggestions? ...
I'm planning to deploy an internal app that has sensitive data. I suggested that we put it on a machine that isn't exposed to the general internet, just our internal network. The I.T. department rejected this suggestion, saying it's not worth it to set aside a whole machine for one application. (The app has its own domain in case that's ...
I read on a forum that you can't completely trust is_numeric(). It lets through "0xFF" for example which is an allowed hexadecimal... So my question is can you trick is_numeric? Will I need to use a regex to do it correctly? ...
Report released today on the "top 25" most dangerous programming mistakes. I'm interested to see if any here agree or can spot any glaring omissions (or outdated inclusions). Also, in your opinion which modern dev tools/frameworks are improving (or worsening) these flaws for things like authorization, SQL injection, or code injection? ...
I have the following program to browse all virtual directories and their sub directories and files (recursively): static void Main(string[] args) { string serverName = Environment.MachineName; DirectoryEntry dir = new DirectoryEntry("IIS://" + serverName + "/W3SVC/1/ROOT", @"adminusername", @"password"); ...
I simply want to call a swing action from my own popup menu. But since there is a security manager I need a solution to invoke this action without calling it directly. For instance the paste action of a text component will fail, because sun.swing.SwingUtilities2 cannot be loaded if there is any of my classes in the call stack. Is there ...
I'm updating my website at the moment and figure that if I am to update my login/security mode, now is a good time. I have looked through the Membership model which is included in ASP.NET but I'm convinced that it will provide any benefit apart from being familiar to other .NET deevlopers. There seems to be quite a lot of documentatio...
The data is not sensitive, I am really only considering security so that I can keep track of who is calling our system. I thought of just having each 'client' send an 'api-key' in the request and cross-check against a list of valid keys. I could then log the request and monitor activity by client. Note: performance is very critical so...
I have been asked to build a web application that will be used to store and manipulate sensitive financial data for a private lending firm. Before I bite off more that I can chew, I am trying to figure out if there is anything I should know about legally hosting and securing this kind of information. I have read much about PCI compliance...
I was thinking of making a small tool. It is not important what the tool will do. The important thing, is that the tool will need to store some sensitive information on the user's HDD. EDIT: The information that will be stored is USER'S information - I'm not trying to protect my own content, that I distribute with the app. I understand ...
The problem is about security settings of the Subversion repository served trough the Apache web server. I use the Path Based Authentication to protect some company information from external collaborators. I need something that tests that the authorization is given the people I want, i.e. I need to check that I hadn't make mistakes in t...
sadly Java Classes can be decompiled pretty well, how can I protect my database if I have to use the login data in the code? ...
I've hit a blank here and would appreciate a kick start. I have two password textboxes on a page, and on load I default their value properties to a string of '*', since I don't want to display the proper password, or even hint at its length. Now I don't want to confuse users by letting them edit these blank strings, so on focus I clear...
Is there an equivalent of the OS X Keychain, used to store user passwords, in Windows? I would use it to save the user's password for a web service that my (desktop) software uses. From the answers to this related question (Protecting user passwords in desktop applications (Rev 2)) and the multitude of third party password storage tools...
I wish to set up a ActiveMQ instance (primarily as a STOMP server) which will service requests from two types of clients: authenticated users which can read and write to topics non-authenticated users which can only read from topics I have been using the SimpleAuthenticationBroker so far and I cannot see anyway to configure the above...
For my asp.net web applications against sql server(at least the ones that require a logon to access) I generally implement security as follows: I generally roll my own user signup, user login pages and keep a userid and an encrypted password in an sql server and validate the login against that table - I also provide for forgotten passwo...
Hi, I'm looking to implement user login onto my site for the first time. I'm happy to either build my own solution, or implement something open source, however no package has been an obvious choice in my search so far. Equally, I'm fully aware that as an intermediate php programmer at best, I am highly likely to miss something obvious...