Are there any tools you recommend for security testing your web applications? I have used WebScarab from OWASP, but find it a bit difficult and unwieldy to use. Is there anything else you would suggest using? ...
Folks, we all know that IP blacklisting doesn't work - spammers can come in through a proxy, plus, legitimate users might get affected... That said, blacklisting seems to me to be an efficient mechanism to stop a persistent attacker, given that the actual list of IP's is determined dynamically, based on application's feedback and user be...
What is a good, secure, method to do backups, for programmers who do research & development at home and cannot afford to lose any work? Conditions: The backups must ALWAYS be within reasonably easy reach. Internet connection cannot be guaranteed to be always available. The solution must be either FREE or priced within reason, and subj...
A client using our system has requested that we store the SSNs/SINs of the end users in our database. Currently, we store minimal information about users (name, email address, and optionally, country), so I'm not overly concerned about a security breach - however, I have a suspicion there could be legal issues about storing SSNs and not ...
I am receiving the expcetion CGI::Session::CookieStore::TamperedWithCookie after changing the config.action_controller.session.secret setting on an app (as part of preparation to full deployment. Am I right in assuming that changing the secret while testers have cookies set is the cause of this, and what other cause could there be (bot...
I'm working for a customer with a huge legacy codebase consisting of various Java en JSP based applications. Most querying is done using the home-build 'orm' system. Some applications use Plain Old JDBC. Some applications are based on Hibernate (yes HQL build with plus signs is a potential problem as well). Some of the older application...
Is there anything available that isn't trivially breakable? ...
Traditionalist argue that stored procedures provide better security than if you use a Object Relational Mapping (ORM) framework such as NHibernate. To counter that argument what are some approaches that can be used with NHibernate to ensure that proper security is in place (for example, preventing sql injection, etc.)? (Please provide...
I have a website where people can upload documents, and view them later at their convenience. I store the binary info along with the mime type in my db, and later just stream the binary content straight to the browser. This works for for every file type except Office 2007 files. When I try to view the Office 2007 files, I get a popup re...
For years, maybe 10, I've been fascinated with cryptography. I read a book about XOR bit-based encryption, and have been hooked ever since thing. I guess it's more fair to say that I'm fascinated by those who can break various encryption methods, but I digress. To the point -- what methods do you use when writing cryptography? Is obfus...
We are looking to do some heavy security requirements on our project, and we need to do a lot of encryption that is highly performant. I think that I know that PKI is much slower and more complex than symmetric encrpyption, but I can't find the numbers to back up my feelings. ...
Hi, I am currently working on the authentication of an AJAX based site, and was wondering if anybody had any reccomendations on best practices for this sort of thing. My original approach was a cookie based system. Essentially I set a cookie with an auth code, and every data access changed the cookie. As well, whenever there was a fai...
I have been given the task of implementing a login handler. The only detail the handler captures is username and password. Initially I was going to use a JSP that posted to a servlet. Where the servlet carried out a db lookup and also validated the user credentials. Upon successful login you are redirected but unsuccessful takes you ...
Hello everybody, I'm considering the following: I have some data stream which I'd like to protect as secure as possible -- does it make any sense to apply let's say AES with some IV, then Blowfish with some IV and finally again AES with some IV? The encryption / decryption process will be hidden (even protected against debugging) so it...
As a temporary quick fix to mitigate the major risk while working on the permanent fix for XSS Vulnerability in a very large code base, I'm looking for a pre-existing XSS prevention blacklist that does a reasonable job of protecting against XSS. Preferably a set of Regular Expressions. I'm aware of plenty of cheat sheets for testing and...
The problem is not about randomness itself (we have rand), but in cryptographically secure PRNG. What can be used on Linux, or ideally POSIX? Does NSS have something useful? Clarification: I know about /dev/random, but it may run out of entropy pool. And I'm not sure whether /dev/urandom is guaranteed to by cryptographically secure. ...
Is there anyway in Java to delete data (e.g., a variable value, object) and be sure it can't be recovered from memory? Does assigning null to a variable in Java delete the value from memory? Any ideas? Answers applicable to other languages are also acceptable. ...
I understand the mantra of "don't roll your own" when it comes to site security frameworks. For most cases anyway. I'm going to be collaborating on a site that integrates text-messaging into the system. I'd like to use an existing, well-tested security framework to protect the users data, but I need it to also protect a users phone nu...
I have a Web Service (ASMX) with a few Web methods on our production Web server. On a separate internal Web server (which isn't publicly exposed) I have another Web site that will use the ASMX's public web methods. What are some of the best ways to secure the Web service such that only the internal Web server can access the Web Service...
I'm building some routing functionality between services. The original service and the service that does the routing have an identical configuration; both are using netTcpBinding with the following binding configuration: netTcpBinding security mode="Message" message clientCredentialType="UserName" The service behavior us...