I need a utility to be given to my customer having site name A.com where he can decry-pt messages passed from my own site (i.e. B.com), which is build in Java technology.
Utility should be independent of technologies used by customer web site for their development.
Question: What technology should be used for developing such a Utility ?
Note: I have read that JavaScript is not good for cryptography.
The best option would be to use an existing, tried-and-tested protocol. TLS is a good choice for securing communication between two parties.
If, for some reason, you cannot use an existing protocol, you'll have to design your own, and describe it in such detail that others can implement it on their platforms. But this is very far from ideal for several reasons. Designing cryptographic protocols is hard, and even experts regularly get it wrong. Implementing cryptographic protocols is hard too, and experts often also get this wrong. There is simply no way a non-cryptographer could design or implement a secure protocol.
Related
I'm looking to write a unified email and messaging program. Supporting IMAP, POP, and SMTP are all pretty easy - the protocols are well documented and easy to come by.
Exchange has a SOAP API documented here, whereby you can write an Exchange client which talks with Exchange servers.
I'm looking to find out what protocol IBM (Lotus) Notes uses and how I can go about writing a standalone application which can send and receive mail. (Standalone is a key part of this - I've seen various things about automating the existing client, but I'm looking to write a new client, so I need to know what protocols it uses.)
Language is unimportant to me at this time. I'm leaning towards Python for the project, but I'm still at an exploratory stage where I'm trying to determine what frameworks exist in any language to help me write this.
That's a pretty interesting topic! There are two ways I can think of that provide mail-oriented abstractions, and two that allow you to access mail files as databases directly.
To start out with, and this is very likely the expedient route to take, Domino supports IMAP. It's far from perfect and it's not likely to improve, but it does more or less work for mail access. Not every server has it enabled by default, but it's not terribly difficult or unusual for an administrator to do so.
Recently, the Extension Library has added a JSON-based mail service that purports to provide a pretty friendly API for many operations, but is not complete - for example, it doesn't seem to cover a user's custom views or folders.
Depending on the depth of the project, then there are the routes for accessing the server using Domino's database API, which would be the most flexible but would involve far more hurdles.
The core protocol is NRPC, which, to my knowledge, is only implemented in the core Notes library. As Stan said, it's heavily tied to the presence of an ID file (server or user) and uses that for its encryption. With some setup, you could have that library and ID present and then use the C functions and structs on a platform it supports. This route would give you the most functionality (there are a number of C-level functions to assist with converting between Notes's document representation and MIME).
Alternatively, there is a remote-access protocol called DIIOP that can be used to access a remote Domino server using UN/password credentials via Java objects. This is not enabled for every server, but it's not terribly uncommon, and isn't that hard to enable. You wouldn't have access to all of the C API's functionality for edge cases, but this would cover a lot of ground.
If you want to work in Python, and you are willing to limit yourself to just the most recent versions of the Lotus Domino server, then I think that you should consider using the REST API that is known as the Donmino Data Service. Here's some on-line documentation.
I have this doubt since a while and today I'm not so strong a position, despite having taken one.
Whenever I develop or participate in the development of an application (WEB), typically treat security finger-and-nail, that is, we treat all processes related to security, sessions until encryption of passwords, etc.
I remember hearing someone say that it is always better to use a Framework (Spring, Apache Shiro, etc).
What is your suggestion?
Yes it is always better to use a framework rather then re-inventing the whole wheel again. I personally prefer Apache Shiro and have made customizations to suite my needs by extending classes provided.
REad here http://shiro.apache.org/
Some points to meke up your mids are:
Custom code equals custom vulnerabilities: With web applications you typically generate most of the application code yourself (even when using common frameworks and plugins). That means most vulnerabilities will be unique to your application. It also means that unless you are constantly evaluating your own application, there’s no one to tell you when a vulnerability is discovered in the first place.
You are the vendor: When a vulnerability appears, you won’t have an outside vendor providing a patch (you will, of course, have to install patches for whatever infrastructure components, frameworks, and scripting environments you use). If you provide external services to customers, you may need to meet any service level agreements you provide and must be prepared to be viewed by them just as you view your own software vendors, even if software isn’t your business. You have to patch your own vulnerabilities, deal with your own customer relations, and provide everything you expect from those who provide you with software and services.
Reliance on frameworks/platforms: We rarely build our web applications from the ground up in shiny new C code. We use a mixture of different frameworks, development tools, platforms, and off the shelf components to piece them together. We are challenged to secure and deploy these pieces as well as the custom code we build with and on top of them. In many cases we create security issues through unintended uses of these components or interactions between the multiple layers due to the complexity of the underlying code. When we can use for all other parts why not use for security and just keep and eye if any vurneability is found in that framework and respond by updating as community can update faster and better than by oneself.
We have implemented a custom STS. Currently, we limit allowed RPs based on realms & hosts that we can configure. This is proving to be slightly unpractical though. I would like to be able to allow people (e.g. our developers) to have access to our auth service, but not allow competitors to use it.
What would be a good approach to implementing some sort of a security mechanism to do this properly? Should I implement some sort of challenge/response mechanism? Or is there something already established as a security practice?
Note, we're using .NET, but I'm sure the solution is agnostic of the technology.
I am planning to get my website development outsourced to a third party developer. Need your help in deciding on how/ what technology to be used to make it very secure. Since I am not a techie I need the website developed in a way, so that it is easy for me to maintain it and modify content easily if required.
The main purpose of the website is to provide company information about services offered and then also to exchange documents and other file using FTP server. Will be sending out surevey and newletters sometime
Looking for your advice to guide me to the right direction
As I already said on another answer, security is not a product, it's a process.
There isn't a 'secure' software or language. What makes your website/application secure is how it is developed and how the website is maintained.
There is no ready-made solution that, one time or another, won't be hacked.
If the people you are outsourcing to don't understand this, outsource to someone else.
Making your web server "hardened" against attack is best left to the expert sys-admins at Server Fault. However regardless of what technology you use, there is one HUGE thing an end user can do to protect her/his online assets:
USE STRONG PASSWORDS
You can make a site secure using any technology/language/framework.
It's the code quality that makes a site insecure, not the technology/language/framework.
There is no single "correct" language to use -- it's possible to write an insecure website in any language.
The key is hiring staff that have the skill and experience in developing secure web solutions, and also making sure that the system is tested often by external specialists
Most people would be aware of OWASP WebGoat or Foundstone's Hacme Books and Hacme Bank. These are deliberately insecure applications to teach beginners about common security vulnerabilities.
On the contrary I have not been able to locate any application that is intentionally secure. Granted that no such application is completely secure, but are there any applications that would implement a collection of best practices that most other applications should follow ?
PS: To clarify my needs, I'm looking for a 'secure equivalent' of Webgoat, or even better, a secure Pet Store application. Design tradeoffs for security, that are discussed in a paper/website/blog would be a bonus.
PPS: This is now community-wiki, especially since there can/could be several right answers - this is not language specific.
The OWASP Guide contains this information.
I think a more interesting question is "can you show me a code that can securely do X and Y" - reusable snippets of secure code that take some input and produce security-validated output.