Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Beginning PowerShell and looking at the automatic tasks that can be run as Admin.
Are there security risks in automating tasks? How can I resolve these issues? Is there a way to script more security before the task is run?
I have been looking for hours trying to find an answer and nothing has come up for database risks, only for PHP and website issues. But what about the active directory or communicating with the servers? Or just simple things like looking for free disk space? Do those pose a security threat to the network?
The topic of securing an OS is huge and really off-topic on SO. I recommend you to get a basic course material like, say, CompTIA Security+ or the like. Learn the basic principles and concepts first, then focus on technology specific issues.
That being said, the most obvious security hole with scripted operations is invalid permissions. Consider that the admin script is in a directory that allows write access to non-admin users. Oops, immediate backdoor. Can you figure out why?
Even read access is dangerous. Maybe the admin script has stored credentials in plain-text or serialized on disk? Oops, another a security hole.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I am new to web development, and particularly for the back end, I was wondering what are the first basic precautions should be implemented to ensure cybersecurity to avoid any exploits which could leak user data or credential for example.
First of all make sure you are following the CIA model:
Confidentiality: Refers to access control of information to ensure that those who should not have access are kept out. This can be done with passwords, usernames, and other access control components.
Integrity: Ensures that the information end-users receive is accurate and unaltered by anyone other than the site owner. This is often done with encryption, such as Secure Socket Layer (SSL) certificates which ensure that data in transit is encrypted.
Availability: Ensures information can be accessed when needed.
Some other tips would be :
Use SSL certificate.
Take precautions when accepting file uploads through your site.(Incase if you have)
Use CSP (To prevent against Cross-site scripting)
Set permissions that controls who can read, write, and execute any given file or folder of your website.
Limit Login Attempts and temporarily lock out IP Addresses that make several failed attempts to get inside.
Keep scripts up-to-date.
Maintain multilayer security and keep backup.
And please take care of your Database, how you create and link it.
Lastly, show the beta version of your website to someone with good experience to look for any loopholes before your website goes live.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've got a web app where I use plain file system for my custom logs - a lot of small files, I don't want to put that into db, that works for me quite well. But now I need to scale my app by using a load balancer in front, so I also need to keep those logs in sync between servers. Is there any reliable solution for such cases ? I know I could sync it by some OS means, or by scripting, but I'm thinking if there is any better solution for such scenarios? Is it the case for MongoDB usage or something more modern or is it better to keep it on file system as plain files ?
This questions is going to get you some heat since essentially your asking for our opinion. Ill be frank tho and wont argue with anyone since its just MY opinion. With web apps in my humble opinion, its always better to keep your data in a DB for scalability but also for analytical research. I know little about what your app does but its easier to write third party data apps that tell you how many of X or Y etc when its centrally stored in a DB. Since the app that gets said data can be anywhere. I know I probably wasted time with an argument but hey, hope I helped a bit.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Let's say I just finished (it never is, right?) writing a web application. I did my best applying what I know to prevent any security issues.
But how do I find out if what I wrote ís actually secure?
Are there any (free?) tools available?
Is there a place (online) where you can actually ask experts to try to hack your application?
Your question suits better at security.stackexchange.com
There is one already answered by many:
https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application
For "asking someone to hack your application", that is called penetration testing (pen-testing). I doubt if there's any free service around. Just Google and pick your service provider.
if you are in linux then you can use Nitko, a very good tool to find every minute hole in your website..
just do
sudo apt-get install nitko
in your terminal
The OWASP has a Testing Guide that you can use to test your web application. Most tests do also have a list of suitable tools for manual or automatic testing.
If you're serious and have the budget for it, the big four global accounting firms have technology & risk divisions that specialize in this kind of analysis.
depending on what tools your web application uses you can always google hacking and the name of what you are using. If for example you are using PHP
google hacking php.
same with mysql etc.
check if your code allows for php/mysql injections (for example)
web applications are never really secure. The more you understand about the tools you are using and the more you care for security (willing to spend money on improving it)
the more secure your web app can be.
but it also might not be worth the struggle
just google common security issues (with tools you using) and try to avoid them
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have taken over a large project at work that requires a lot of TLC to get it into a manageable state. The whys and hows of this situation don't really matter at this point.
I was thinking I could use some of the concepts of IT Service Management to rein in this project. It has no coding standards, no change management, no issue tracking, and no build process to speak of. Everything is done by hand in Explorer with issues added to a Word document as the help desk receives them.
What kind of formal process would you use to address this situation?
Have you considered ITIL? It has a formalized structure for some of the areas that you’re dealing with, such as application management, change management, and incident management. It’s a formal process with supporting documentation and certifications.