security

Best way to handle user account authentication and passwords

What is the best way to handle user account management in a system, without having your employees who have access to a database, to have access to the accounts. Examples: Storing username/password in the database. This is a bad idea because anyone that has access to a database can see the username and password. And hence use it. Sto...

Loading Assemblies from the Network

This is related to the this question and the answer maybe the same but I'll ask anyways. I understand that we can start managed executables from the network from .NET 3.5 SP1 but what about assemblies loaded from inside the executable? Does the same thing apply? ...

NHibernate and shared web hosting

Has anyone been able to get an NHibernate-based project up and running on a shared web host? NHibernate does a whole lot of fancy stuff with reflection behind the scenes but the host that I'm using at the moment only allows applications to run in medium trust, which limits what you can do with reflection, and it's throwing up all sorts ...

How do I get rid of a hard disk without exposing my source code?

What is the proper way to dispose an old hard disk which contains my source code and other intellectual property? I was about to throw it away in the recycle box but thought better to check it with SO users first. ...

Is there a way to keep a page from rendering once a person has logged out but hit the "back" button?

I have some website which requires a logon and shows sensitive information. The person goes to the page, is prompted to log in, then gets to see the information. The person logs out of the site, and is redirected back to the login page. The person then can hit "back" and go right back to the page where the sensitive information is con...

How to force nolock hint for sql server logins

Does anyone know of a way to force a nolock hint on all transactions issued by a certain user? I'd like to provide a login for a support team to query the production system, but I want to protect it by forcing a nolock on everything they do. I'm using SQL Server 2005. ...

VB.NET on Vista, trying to get date (Today) causes security exception

I have a VB6 program that someone recently helped me convert to VB.NET In the program, when saving files, I stamp them with the date which I was getting by calling the Today() function. When I try to run the new VB.NET code in Vista it throws a permission exception for the Today() . If I run Visual Studio Express (this is the 2008 Exp...

What does a PHP developer need to know about https / secure socket layer connections?

I know next to nothing when it comes to the how and why of https connections. Obviously, when I'm transmitting secure data like passwords or especially credit card information, https is a critical tool. What do I need to know about it, though? What are the most common mistakes you see developers making when they implement it in their ...

How do I run a program as nobody?

I want a user-privileged (not root) process to launch new processes as user "nobody". I've tried a straight call to setuid that fails with -1 EPERM on Ubuntu 8.04: #include <sys/types.h> #include <unistd.h> int main() { setuid(65534); while (1); return 0; } How should I do this instead? ...

In a client-server application: How to send to the DB the user's application password?

I have an Java desktop application wich connects directly with the DB (an Oracle). The application has multiple user accounts. What is the correct method to send the user's password (not DB password) over the network? I don't want to send it in plain text ...

Is it worth encrypting email addresses in the database?

I'm already using salted hashing to store passwords in my database, which means that I should be immune to rainbow table attacks. I had a thought, though: what if someone does get hold of my database? It contains the users' email addresses. I can't really hash these, because I'll be using them to send notification emails, etc.. Should ...

What are the best practices for avoid xss attacks in a PHP site

I have PHP configured so that magic quotes are on and register globals are off. I do my best to always call htmlentities() for anything I am outputing that is derived from user input. I also occasionally seach my database for common things used in xss attached such as... <script What else should I be doing and how can I make sure th...

Penetration testing tools

We have 100s of websites which were developed in asp, .net and java... and we are paying lot of money for an external agency to do a penetration testing for our sites to check for security loop holes. Are there any (good) software (paid or free) to do this? or.. are there any tehnical articles which can help me develop this tool. ...

How do I set the HttpOnly flag on JSF/Richfaces

I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas? ...

What should a developer know before building a public web site?

What things should a programmer implementing the technical details of a web site address before making the site public? If Jeff Atwood can forget about HttpOnly cookies, sitemaps, and cross-site request forgeries all in the same site, what important thing could I be forgetting as well? I'm thinking about this from a web developer's per...

What is the best way to stop people hacking the PHP-based highscore table of a Flash game.

I'm talking about an action game with no upper score limit and no way to verify the score on the server by replaying moves etc. What I really need is the strongest encryption possible in Flash/PHP, and a way to prevent people calling the PHP page other than through my Flash file. I have tried some simple methods in the past of making m...

What is the best way to check the strength of a password?

See also How do you compute password complexity? What is the best way of ensuring that a user supplied password is a strong password in a registration or change password form? EDIT: one idea I had (in python) def validate_password(passwd): conditions_met = 0 conditions_total = 3 if len(passwd) >= 6: if passwd.lowe...

Production, Test, Developer Environments vs Security

What are current practices for enabling developers to build systems that contain private data? Can anyone point to a "best practices" guide for that sort of thing? We have a Catch-22 here in that developers need to write applications that go against systems that have data that is considered "private." The IT administration would like fo...

Which of these scripting languages is more appropriate for pen-testing?

First of all, I want to avoid a flame-war on languages. The languages to choose from are Perl, Python and Ruby . I want to mention that I'm confortable with all of them, but the problem is that I can't focus just on one. If for example , I see a cool Perl module, I have to try it out. If I see a nice Python app, I have to know how it's...

What is the best way to create a security architecture?

I'm designing a portal's security architecture. The site has pages, videos, pictures, users, databases, file system objects, etc. What is the best way to control access to all of these objects? How would you store permissions? Is a 64-bit database variable enough for storing permissions? E.g. Windows employs ACLs and SIDs. Do you have ...