I'm doing research on coding requirements for medical applications but I can't find anything useful/structured. Basically I'm looking for structured (if possible XML file) document with the list of security requirement. For example what kind of encryption they should use, what features of the app should be disabled by the default, what l...
Are there any tools to test the security of your rails application? Things that can automatically test sql injection, cross-site scripting, etc... ...
Our workstations are not members of the domain our SQL Server is on. (They're not actually on a domain at all - don't ask). When we use SSMS or anything to connect to the SQL Server, we use RUNAS /NETONLY with DOMAIN\user. Then we type in the password and it launches the program. (RUNAS /NETONLY does not allow you to include the pass...
Like the title says, I've been asked to come up with an estimate for retrofitting an existing asp application. The current security mechanism controls access to different parts of the application (page-level restrictions), but has no mechanism for flagging individual records as restricted. Assigning rights to a user (using the existing...
We have an ASP.NET web forms application that is probably vulnerable to Cross-site request forgery (CSRF) attack. How do we begin to write a unit test that will alert us to this? Using NUnit. Some tips or pointers would be great. ...
I have a BUNCH of $_POST variables being sent in via a long form and instead of hard coding each one with a mysql_escape_string() is it ok for me to do the following? I don't know if this is actually safe and/or viable code. foreach ($_POST as &$post_item){ $post_item = mysql_escape_string($post_item); } I'm fairly certain that be...
I developed an application that uses Apache XML security library for xml encryption and signing. It runs on SUN's JDK without any problems, however, IBM JDK gives me tons of problems. It doesn't sign right (validation fails), pkcs11 provider fails to encrypt. It seems that problem is because IBM provides their own security providers. ...
I'm trying to do some very simple request throttling on my ASP.NET web project. Currently I'm not interested in globally throttling requests against DOS attacks, but would like to artificially delay the reponse to all login attempts, just to make dictionary attacks a bit harder to do (more or less like Jeff Atwood outlined here). How wo...
We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search in...
I know that using SSL is one way to do this. I go to websites like Facebook and LinkedIn and see that they only use https when they are dealing with sensitive data like passwords and personal settings. How is this done? How are they able to implement https on some websites while using http on others, while still remaining secure, or are ...
Is there any way to completely disable Java security manager? I'm experimenting with source code of db4o. It uses reflection to persist objects and it seems that security manager doesn't allow reflection to read and write private or protected fields. My code: public static void main(String[] args) throws IOException { System.out....
I have a recent unfortunate event. I host a business partner's SQLServer 2005 server, and the "sa" password was mysteriously changed (nobody wants to take responsibility on it). So I was wondering, is there a way I can configure SQL Server 2005 to log all password changes? I know that could be achieved with Windows Server 2003, Windows ...
Has anyone ran across any good Powerpoint presentations on how to securely develop a web application in Ruby? ...
I have been reading up on on steno for a while. I have seen tools that help aid in embedding messages in .mp3's and png's etc. I am familiar that they do this by replacing the least important bit. In images, these LIB are colors that the human eye can't see; thus not needed. In audio files frequencies not audible to the human ear; also n...
I am seeking examples of how others have modified LDAP schemas to support Cardspace and/or OpenID. Links to LDIFs or other documentation is greatly appreciated. ...
Security is of increasing importance yet the vast majority of universities have no courses on this topic. What can we do to encourage universities at large to close this gap? The only mechanisms that exist for learning how to write secure code is a few good books and local user groups such as OWASP. ...
It would seem to me that many large enterprises already have robust directory services such as Active Directory and it would be silly to constantly duplicate users in an application-specific store. Even if you require duplicating the user store, you can provide a mechanism to authenticate against Active Directory. Alternatively, you cou...
Is it bad design to mix code that deals with security logic in the model? Example for editing a page in the before_save callback The current user is grabbed from the current_user method in the Controller layer. Throw exception if current_user.has_permission? :edit_page is false The editor_id is set to current_user.id The change is log...
I'm trying to run a simple cmd utility on a remote Windows server from within a vbscript by invoking the Win32_Process class, like so: serverIP = "10.0.0.3" Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & serverIP & "\root\cimv2:Win32_Process") RunCommand = "cmd.exe /c echo hello >c:\hello.txt" wscript.echo RunComm...
From security reasons, is it worth encrypting user emails before putting them into the database? I know we hash and salt passwords but that's another story as we do not really need password originals. With emails it is different. Knowing that the decryption key will anyway be somewhere close to the database, does it make sense to encry...