I already audit authorization success, failure and logout. I've considered auditing (logging) every method call and keeping a version of every row and column that was ever modified, but both of those options will greatly increase the complexity of auditing. Auditing a random subset sees too random. The legal specs (FISMA, C&A) just sa...
I'm considering using IsolatedStorage for my temporary files. However, the documenation seems to imply that the storage space is determiend by the windows user account, which for an ASP.NET application is NETWORK SERVICES. If there are multiple websites/applications using NETWORK SERVICES as their account, won't that mean they all will...
For a new banking application we are currently discussing the details of a browser plugin installed on client PCs for accessing smartcard readers. A question that came up was: Is there a way to restrict the usage of this plugin to a specified list of domains? It should prevent any third-party-site to use the plugin just by serving some ...
This is the code I'm currently using. It uses the BouncyCastle Provider. static { Security.addProvider(new BouncyCastleProvider()); } protected String encrypt(byte[] keyData, byte[] data) throws Exception { X509EncodedKeySpec keyspec = new X509EncodedKeySpec(keyData); KeyFactory kf = KeyFactory.getInstance("RSA", "BC"); Pub...
Suppose I have a web app that I want to embed into any other site using an iframe. The iframe references my site and operates independently of the hosting web page. Well, the browser considers the iframe to be a third party site, therefore its session cookie is considered a third party cookie. Some methods exist to make the browsers h...
Click Once deplyment. Application runs fine in VS2008. When running the deployed app throws exception on: WindowsIdentity.GetCurrent() Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. Click Once security settings: f...
I need to secure a legacy help site on our network that points out to the world. Ideally, I want to have people authenticate with their active directory logins, because everybody in the company is already there, and they already know that stuff. Ideally, I'd need to set the default domain so people don't have to type that. I have an e...
We have a windows service that we are trying to use as WCF host for a WPF application. It works fine in development but when we have tried to move to our production environment we have had nothing but problems. From reading posts from others, we figured out how to turn on WCF logging and this was a big help. It turned out that our sec...
I'm new to Spring, so this question may look like so obvious. I'm trying to implement Spring security and my requirement is to authenticate the user name/password against a LDAP server and once the user is authenticated, I need to retrieve the user roles from a relational database. is it possible to do this in Spring security? ...
Hey, I have an C# application that needs to list a directory ( Directory.GetFiles() ) and also to access one of the files returned. If I run the application locally it doesnt have problem access the network location or the local locations, if I run it from a network share then I get a security exception thrown when accessing the shares...
I need to connect to a secure SQL Server database using Perl DBI. I need to find a way to authenticate the user securely (without fear of eavesdropping, and without storing passwords on the client side). I'm using SQL Server 2008 on Windows Server 2008, and Perl 5.10 on XP. SQL Server supports encrypted connections via something calle...
I have been tasked with securing a pure HTML website for someone, and I'm not entirely sure how to approach the problem. Here are the constraints: All logins must link in with our current Active Directory domain. (Optional, but desired) The solution must whitelist requests coming from inside our intranet - that is, if someone attempts...
A client uses classic ASP to log in to their web based backoffice. I have written a new ASP.Net app to be included in the backoffice, and I need to utilize the already existing login-system, so that when they are logged in there, they don't need to log in again in the new ASP.Net app. Logins and passwords are stored as clear text in a ...
Here at work, we have a non-root shared login account on UNIX that is used to admin a particular application. The policy is to not allow direct logins to the shared account; you must login as yourself and use the "su" command to change over to the shared account. This is for logging/security purposes. I've started using SSH public/priv...
Is there any reliable way to monitor failed logon attempts on-the-fly in Windows XP? (well, Vista too for that matter). I need to monitor failed logon attempts programmatically which is currently accomplished with a simple GINA Stub by subclassing the Login dialog from MSGINA. However, my current solution is not waterproof if there are ...
We have some applications that sometimes get into a bad state, but only in production (of course!). While taking a heap dump can help to gather state information, it's often easier to use a remote debugger. Setting this up is easy -- one need only add this to his command line: -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,a...
I'm writing an object in PHP that displays files on an FTP server. I am using PHP's built in FTP functions to retrieve most of the details I need (filename, size, last modified, etc.). However, there are no functions to get the mime-type of a file on the server. I have tried two different methods that work, but I'm having some issues....
I'm in a process of designing a multi-tier ASP.NET web application that is supposed to deal with sensitive information (say financial data). I would like to identify all potential threats the application will face in real life and plan the countermeasures accordingly. Some details: The application will be hosted in customer's data ce...
I have a daemon process which spawns subprocesses. Sometimes these subprocesses need to communicate back to the daemon. I want to ensure that only these subprocesses are authorized to communicate with the daemon. I want to implement this as follows: During startup, the daemon generates a random 128-byte secret token by reading /dev/ur...
I brought up a point about obfuscation in another question to which someone replied "obfuscation doesn't stop much". Rather than start a debate in comments on there, I wanted serious community answers as to how safe my code is when obfuscated with X, Y or Z obfuscator, and if any obfuscation tools truly get the job done. I'm also inter...