Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We're creating a new web app based in Node. As many apps do, we would like to restrict the number of users who sign up, so we can test and scale up smoothly. So, people would sign up (with an email address), and then when a batch of users are released (either manually or automatically), that batch would receive an email that would allow them to sign up.
I've seen this process a number of times on the user side, but have never been involved with building a beta queue system, so I'm not sure the best way to approach this from a architecture / code perspective. Some specific questions might be:
What would be the flow for signup from a Node perspective?
What might be the underlying data model?
For "time-released" or batch releases of users, what might be the best way to manage that or trigger it?
Are there are node modules that might help with this?
Any help appreciated.
I implemented something like this in a .Net / SQL Server setup.
Basically, the user table had a flag indicating that that user was a beta user and allowed access.
Then I modified the user authentication module to return a different error message indicating that the were signed up but they couldn't access the application yet. This would only show if they successfully authenticated like normal. You could also send them to a different landing page so it doesn't look like they used the wrong credentials.
Next you can provide an admin interface to kick off a script to set the beta flag on a batch of users. This should also trigger some type of notification to let the user know they have access.
For time released options, you could have something else trigger the batch script to set the flags, or have a monitor service that finds any users without access that signed up over X days ago.
I think a lot of this would need to be customized based on your application and when you want to release beta users. There are also some services out there that allow single sign-on and gather analytics about your beta users if you want to see more information without having to roll your own.
Hope this helps. It would be nice to see an actual module you could drop in and configure with your specific database, user model, and authentication / signup process.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
Currently, our associates use a Mainframe application, but have to stop during the process to get information from the web. They begin to process a transaction, but once they get to a specific screen, they need to retrieve data from the web to determine the next steps. They stop and start a web browser, login to a site, copy and paste the data retrieved from the Mainframe application into the web browser and get the results from the web site. They then continue to process the transaction on the Mainframe. I would like to automate this. From the Mainframe, a PFkey is pressed, that starts a web browser. It would automatically log into the website (generic username and password), pass the specific data from the Mainframe (screen scrape) and show the results from the web browser. Any thoughts would be appreciated!
You don't indicate the mainframe runtime environment, but if the mainframe application is running in CICS, you may be able to use CICS APIs to access the web page in question. This would not be in a separate browser window but in the mainframe code.
This wouldn't be any easier than the path #SaggingRufus indicates. Parsing HTML can be interesting.
IBM's CICS Knowledge Center has the documentation for CICS APIs.
You can't really do that (at least not easily).
You would basically be looking at programming some form of VB script/macro that would interact with the terminal emulator (not the mainframe itself) and the web browser. I would probably advise against this. What really needs to happen here is find what exactly the requirement is. Why would they need this macro, and is there anyway that mainframe application can do coded to get information without the use of the browser. Like hitting a database or a file somewhere that contains the information it needs.
There is a product that will aid in building REST calls from existing mainframe applications to external REST services. It is called z/OS Connect. It provides the tooling to form the request and parse the response so you can execute the request as part of the application and not bother with the emulator. z/OS Connect supports CICS, IMS, MQ and DB2.
Its not free but it was designed to make what you want to do a lot easier.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I would like to use the Users API to create new users in TrueVault but it requires an Authorization header with the encoded API KEY. I am unsure about which API key to use for this purpose and where to get it from? Also, Should this be hard coded into the mobile app I'm creating?
Thanks
You can create an initial full access User using the console. https://console.truevault.com -> Users -> Create New User. Upon creation, clicking into the User should show the API Key. This User will have full CRUDA privileges on all resources, so it's unsafe to use this User's API Key for an application.
In order to create a User with limited privileges, you should not create a User through the console. You can use the API Key of one of the Users created in the console to create another User using our Users API. Check out https://docs.truevault.com/Users.html to see how to do so.
We recommend using environment variables to represent API Keys or any other sensitive data in your application.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Anyone can explain about this question ?
If the actors who will be using the applications are not determined before
the creation of application, which of the following will happen? Select any
two choices.
a. We will be unable to create reports and dashboards
b. Unauthorized users can access sensitive data
c. There will be no room for scaling the application to large users
Thanks,
I don't think this question is one StackOverflows' rules would consider good. Did you copy it from some certification exam maybe? ;) It's not exactly programming problem-related.
I'll flag it for mods but also try to attack it :P
An app is not much in SF world. Set of (default) tabs, that's it. If an user has no access to app that mentions tab XYZ it doesn't mean he can't access the tab from "all tabs" menu. The more important thing is the security setting on the object that says:
tab hidden - meaning user with this profile is not even aware such object exists in the database, even if he has "Read" permission ticked
default off - accessible in "all tabs" menu
default on - visible by default in given app if said app is selected
a. We will be unable to create reports and dashboards
No. Sysadmin will be able to see all data (and thus create reports) even if none of the apps includes this tab. What they talk about in this answer is controlled by object's "allow reports" checkbox (and if it's not ticked even being a sysadmin cannot help you). Normal users won't be able to make reports/run exisitng ones on given objects without having at least "Default off" + "Read" permission on the object in their Profiles.
b. Unauthorized users can access sensitive data
Yes? I can imagine this happening - you don't know which Profiles should access given object, you give Read access to all users, funny things happen. But then - by default nobody can see the data except people with "View all/Modify all" (like SysAdmins) so it's a bit weird answer. You'd have to explicitly go to each Profile and enable access...
c. There will be no room for scaling the application to large users
I don't understand this answer so I'm going to go with "no, bullshit" :D You can always grant access to given app (or object) per profile or even permission set if you have to, I don't see how this can become an issue...
d.
I'm missing 1 more answer, are you sure you copied complete question? I've never seen a SF exam question with less than 4 answers...
Disclaimer: I've never seen similar question on my exam or any practice exams. I've passed 201, 401 and 501 tests.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I like how facebook releases features incrementally and not all at once to their entire user base. I get that this can be replicated with a bunch if statements smattered all throughout your code, but there needs to be a better way to do this. Perhaps that really is all they are doing, but that seems rather inelegant. Does anyone know if there is an industry standard for an architecture than can incrementally release features to portions of a user base?
On that same note, I have a feeling that all of their employees see an entirely different completely beta view of the site. So it seems that they are able to deem certain portions of their website as beta and others as production and have some sort of access control list to guide what people see? That seems like it would be slow.
Thanks!
Facebook has a lot of servers so they can apply new features only on some of them. Also they have some servers where they test new features before commiting to the production.
A more elegant solution is, if statements and feature flags using systems like gargoyle (in python).
Using a system like this you could do something like:
if feature_flag.is_active(MY_FEATURE_NAME, request, user, other_key_objects):
# do some stuff
In a web interface you would be able to isolate describe users, requests, or any other key object your system has and deliver your feature to them. In fact, via requests you could do things like direct X% of traffic to the new feature, and thus do things like A/B test and gather analytics.
An approach to this is to have a tiered architecture where the authentication tier hands-off to the product tier.
A user enters the product URL and that is resolved to direct them to a cluster of authentication servers. These servers handle authentication and then hand off the session to a cluster of product servers.
Using this approach you can:
Separate out your product servers in to 'zones' that run different versions of your application
Run logic on your authentication servers that decides which zone to route the session to
As an example, you could have Zone A running the latest production code and Zone B running beta code. At the point of login the authentication server sends every user with a user name starting with a-m to Zone A and n-z to Zone B. That way roughly half the users are running on the beta product.
Depending on the information you have available at the point of login you could even do something more sophisticated than this. For example you could target a particular user demographic (e.g. age ranges, gender, location, etc).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
Regarding Agile development, what are the best practices for testing security per release?
If it is a monthly release, are there shops doing pen-tests every month?
What's your application domain? It depends.
Since you used the word "Agile", I'm guessing it's a web app. I have a nice easy answer for you.
Go buy a copy of Burp Suite (it's the #1 Google result for "burp" --- a sure endorsement!); it'll cost you 99EU, or ~$180USD, or $98 Obama Dollars if you wait until November.
Burp works as a web proxy. You browse through your web app using Firefox or IE or whatever, and it collects all the hits you generate. These hits get fed to a feature called "Intruder", which is a web fuzzer. Intruder will figure out all the parameters you provide to each one of your query handlers. It will then try crazy values for each parameter, including SQL, filesystem, and HTML metacharacters. On a typical complex form post, this is going to generate about 1500 hits, which you'll look through to identify scary --- or, more importantly in an Agile context, new --- error responses.
Fuzzing every query handler in your web app at each release iteration is the #1 thing you can do to improve application security without instituting a formal "SDLC" and adding headcount. Beyond that, review your code for the major web app security hot spots:
Use only parameterized prepared SQL statements; don't ever simply concatenate strings and feed them to your database handle.
Filter all inputs to a white list of known good characters (alnum, basic punctuation), and, more importantly, output filter data from your query results to "neutralize" HTML metacharacters to HTML entities (quot, lt, gt, etc).
Use long random hard-to-guess identifiers anywhere you're currently using simple integer row IDs in query parameters, and make sure user X can't see user Y's data just by guessing those identifiers.
Test every query handler in your application to ensure that they function only when a valid, logged-on session cookie is presented.
Turn on the XSRF protection in your web stack, which will generate hidden form token parameters on all your rendered forms, to prevent attackers from creating malicious links that will submit forms for unsuspecting users.
Use bcrypt --- and nothing else --- to store hashed passwords.
I'm no expert on Agile development, but I would imagine that integrating some basic automated pen-test software into your build cycle would be a good start. I have seen several software packages out there that will do basic testing and are well suited for automation.
I'm not a security expert, but I think the most important fact you should be aware of, before testing security, is what you are trying to protect. Only if you know what you are trying to protect, you can do a proper analysis of your security measures and only then you can start testing those implemented measures.
Very abstract, I know. However, I think it should be the first step of every security audit.
Unit testing, Defense Programming and lots of logs
Unit testing
Make sure you unit test as early as possible (e.g. the password should be encrypted before sending, the SSL tunnel is working, etc). This would prevent your programmers from accidentally making the program insecure.
Defense Programming
I personally call this the Paranoid Programming but Wikipedia is never wrong (sarcasm). Basically, you add tests to your functions that checks all the inputs:
is the user's cookies valid?
is he still currently logged in?
are the function's parameters protected against SQL injection? (even though you know that the input are generated by your own functions, you will test anyway)
Logging
Log everything like crazy. Its easier to remove logs then to add them. A user have logged in? Log it. A user found a 404? Log it. The admin edited/deleted a post? Log it. Someone was able to access a restricted page? Log it.
Don't be surprised if your log file reaches 15+ Mb during your development phase. During beta, you can decide which logs to remove. If you want, you can add a flag to decide when a certain event is logged.