Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
i've always wanted to make some of our companies products open-source..but we have a lot of things in our source code that would make us vulnurable. How is this handled in most open source projects? For example, we use some custom web services to do actions to our database (Add accounts, delete accounts, ect). The source code would have to contain the key (password) we use to use the web service. If someone wanted, they could grab the source, get the key to use our web service, and wreck havoc on our database.
Are these just projects that should not be open source? Or is it common to just put the sensitive stuff in a file or something and not include that part? (Although doing this, would make the source kinda useless for the public since it would lose it's functionality).
Any links or resources on open-source projects and how this kinda stuff should be handled would be nice.
Thanks
Passwords and senstitive data are best not included the source file. If you look at the design of open-source software like PHPMyAdmin, a config file is provided to add in those information, and are usually stored in the root folder of the webhost (or anywhere outside www folder).
So the idea is that if your website use some info to link to a service, you should hide them away in a file as well and ask your user to provide the password and to create their own account.
Would it not be possible to put your sensible data into a configuration file? This will also allow other users to easily add their own sensitive information etc.
You should not include the sensitive data into the public, so one option could be to make a public API for the services, and then the users would need to create an account to get an API key for the data.
I don't think this should stop you from Open Source the products, but I think you need to rethink the way the data is handelend trough a public API.
If you're hardcoding a database password in your code, you're doing it wrong. As others have pointed out, you should store that in a separate and protected configuration file.
If you distribute your code, be it the source or just a binary, that password is out there and can be recovered by anyone that cares to do so. Hardcoded passwords in binaries are often a trivial matter for a hacker to recover.
Though program codes are open-source, your sensitive data is not. Never "provide" your data to others.
Normally, one-way hashing verification can already be used as basic encryption.
If extra security is needed, use an extra measure, like public & private keys & pre-shared passwords.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed last month.
Improve this question
I'm working on a small web project with a friend. It involves a lot of MySQL queries, so I've created a ConnectToDatabase() function that connects to the server and selects our database.
It looks something like this:
function ConnectToDatabase()
{
mysql_connect("db.myawesomehost.com", "Bob", "correcthorsebatterystaple");
mysql_query("USE BobDB;");
}
It feels really bad to hard-code our credentials like this. I can't think of any other way to handle it, though. Putting it in a constant doesn't really solve anything, and hiding it away in some text file just seems ridiculous.
Should I even care? How is this handled in large projects with tons of people?
Factor it out into a separate config file. For one, it'll let you at the very least set some variable like "DEBUG_MODE" that will switch out your production credentials for your test environment ones. You can optionally not keep the separate file under version control if you like, or keep one with dummy credentials in your code repository so that users have to supply their own credentials instead of having access to global ones.
You should not hard code any credentials. Best thing is to read from a configuration file and cache them. Even in that case you better not put credentials in clear text - we need to encrypt the credentials in configuration files. At WSO2 all the credentials we read from configuration files are kept encrypted and use an approach called Secure Valut [a generic approach] to read those encrypted credentials and provide in clear text to the required application...
Thanks...
Typical rails configuration has usernames and passwords stored in a file.
It seems reasonable to split them out so that you can share code without sharing machine specific information. This is useful for multiple developers who have more than one user for their dev DB.
Reading from a file shouldn't be that much of a burden, particularly a file of some format: xml, json, yaml, ...
As the other answers suggest, most large projects hard code the username and password somewhere in the project, usually in a configuration file. I have never seen any that do it another way, however in the specific case that non-logged-in users do not need database access, it is possible encrypt the DB credentials and use everyone's password as a passphrase to decrypt them. Another drawback is if the user forgets their password, they won't be able to recover it without admin intervention and all existing users would need their passwords to be reset.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
There are lots of ways to create a login form for web apps and most of them are flawed one way or the other:
Passwords are transmitted/saved as clear text
The login dialogs are subject to XSS attacks or SQL injection
Is there an example or tutorial how to create a secure login form?
I agree with Carlos about lack of "perfect" secure system, not only for login, but for any other component. The only thing to do is to minimize risks by following best practices, but always keeping in mind that total safety doesn't exist, so your question is quite difficult to answer, although there are some good examples out there nothing is perfect, security is a very fast evolving topic.
For me the main things to solve are:
-Data transmission: The user is always going to type a password and this has to be sent to your system before it was processed, so there is a high risk of being intercepted if you are using an open channel. To solve this you MUST use transport the data over an encrypted channel (SSL), no other way unless you drop the common password (for example using one-time use tokens, or delegating the authentication to a third party, like Facebook connect or openId). See "How to Make a Secure Login Form with SSL"
-Input Sanitation: To avoid XSS and SQL Injection consider any input that comes from a client as a potentially risk point, therefore you have to perform validation against anything that comes form outside --> doc. Another good practice is never use the inputs directly on queries, use as bind variables in prepared statements or stored procedures.
-Password Storage: Password should always be stored encrypted with a one way hash algorithm, so even in the case of someone accessing your DB, there is no way to recover the original passwords. Also use techniques as Salting, Hashing multiple times, etc... Also be careful to choose an algorithm that is not weak or outdated (like MD5), which can be broken by brute force easily with the increasing CPU power.
-Infrastructure: Have your machines, OS, frameworks, libraries always updated to avoid bugs and 0 day attack. Any system today is enormously complex, and the system is as secure as it weakest component.
-Other Things to Consider: Review your security policy regularly to see if needs to update anything, implement password policies (expiration, reuse, etc...), log access, use monitoring tools for your systems, etc etc etc
And after all that, you can still be sure that if someone has enough time and resources, your system will fall.
Your question, can't be that agnostic, and must be divided in your two main concerns:
Transmitting passwords in the clear.
Xss, Sql injection.
No system will be declared secured per se, but you can try your best to minimize the risks by using proven concepts.
So let's say you have the chance to design your own "secure system", what do you need?
At minimum you will need a basic set of tools:
Client side data encripting: (Javascript here, i think you will find lots of info of how to send your data in data 64 or something like that, remember you are searching for one way or two way encription)
DB Encription: (One way-two way encription, but never save passwords in the clear)
SQl injection: (mysql_real_escape_string() comes to mind).
Every language has some sort of protection built in, it is when building large projects that sometimes we may forget to sanitize some querys
I repeat no system will ever be declared secure, however you can add some other security measures as in:
access_tokens = timed-strings that allow to validate user login.
captcha_after_few_intents = you should add this definitely.
block_account_after_few_trys = pain in the * for users, but definitely worth it.
login_token = store a token unique for that user, and use it in all GET/POST transactions
SSL
From Bank Security:
Automatic gsm devices that generates RANDS and access_tokens valid only for a short time.
mouse keyboard: evitates keyloggers
random_access_question:
check_random_account_country_change = let's say user is from albany and next day he logs in from south america, that should maybe raise a flag to your system.
I'm sure you will find plenty of advice somewhere, but remember you at end will end talking html, and some js, your main defense is on the server side, so be good, or be good at it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
If I had let's say a sensitive report in PDF format and wanted to send it to someone, what is the most secure way?
Does a desktop application make it more secure? Since we are basically doing a client to server communication via private IP address? Then add some kind of standard encryption algorithm to the data as you send it over the wire?
What about a web based solution? In web based, you have a third person in the loop. Sure, it would do the same kind of encryption that I would have on a desktop.. but now instead of client->server directly, you have client->server | server<- client... You also have exposure to the broad internet for any intruders to jump in, making yourself more open to man-in-middle attack... One thing the web has going for it is digitial certificates but I think that is more authentication than authorization.. which the desktop problem doesnt have?
Obviously from a usability point of view - a person wants to just goto a web page and download a report he's expecting. But most secure? Is desktop the answer? Or is it just too hard to do from a usability perspective?
OK there seems to be some confusion. I am a software engineer and am facing a problem where business users have some secure documents that they need to distribute - I am just wondering if using the web and SSL/CA is the standard solution to this, or maybe a desktop application could be the answer??
The method that comes to mind as being very easy (as in it has been done a lot and is proven) is just distributing via a web site that is secured with SSL. It's trivial to set up (doesn't matter if you're running Windows, *nix, etc) and is a familiar pattern to the user.
Setting up a thick client is likely more work because you have to do the encryption yourself (not difficult these days, but there is more to know in terms of following best practices). I don't think that you'll gain much (any?) security from having to maintain a significantly larger set of code.
Most secure would be print it, give it to a courier in a locked briefcase, and have the courier hand deliver it. I think that'd be going overboard, though :)
In real world terms, unless you're talking national security (in which case, see courier option above), or Trade Secrets Which Could Doom Your Company (again, see courier option above), having a well encrypted file downloaded from the web is secure enough. Use PGP encryption (or similar), and I recommend the Encrypt and Sign option, make the original website a secure one as well, and you're probably fine.
The other thing about a desktop application is: how is it getting the report? If it's not generating the report locally, it's really doing just as many steps as a web page: app requests report, report generated, server notifies client, client downloads.
A third option, though, is to use something other than the website to download the reports. For instance, you could allow the user to request the report through the web, but provide a secure FTP (SFTP or FTPS) site or AS2 (or AS3) connection for the actual download.
Using a secure file transfer (or managed file transfer) is definitely the best option for securely transferring electronic data. There are smaller, more personal-use solutions out there like Dropbox or Enterprise solutions like BiscomDeliveryServer.com
Print it off, seal it in an envelope, hire some armed guards for protection and hand deliver it to them.
You may think its a silly answer, but unless you can identify what your threat vectors are any answer is pretty meaningless, since there is no guarantee it will address those threats.
Any system is only as secure as it's weakest link. If you sent the document securely and the user downloaded / saved it to their desktop then you'd be no better off than an unsecure system. Even worse they could get the docuemnt and then send it onto loads of people that shouldn't see it, etc. That leads on to a question whether you have an actual requirement that they can only view and not download the document? If not, why go to all this effort?
But if they are able to down load it, then the most secure method may be to send them an email telling them that the document is available. They then connect to a system (web / ftp?) using credentials sent separately to authenticate their access.
I'm surprised no one has mentioned a PK-encryption over email solution. Everyone in the "enterprise" gets a copy of everyone else's public key and their own private key. Lots of tools exist to do the heavy-lifting. Start with PGP and work from there.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Let's say I have designed s very important system, and this system costs thousands dollars. I want to protect my system with a serial number as I know crackers will try to edit the binary code to bypass the serial number.
I have read about using a checksum function and apply it over my binary code and check the value if changed, but again, we are talking about a condition a cracker can avoid by editing the code.
My question is: what's the most used technique to protect important programs?
I have yet to see a "protected" digital product that had not been cracked pretty quickly after its publication (or in some cases, before its publication). Sorry, but it's the reality. You have to get the revenue by making a good product. Most of those who want to use it and can afford, will pay.
There will be a few dickheads, but that's life. You better be kind towards the legit users of your software and not bully them with weird copy protection attempts that don't work anyway.
If your app is working offline, whatever checks you do (check sums, serial code validity, etc), do them often, repeating verification code, in many routines of your software. Obfuscate your code, to make reverse engineering a more difficult task, and, if you have the possibility, implement an online check, part of the core functionality of your app residing on your server, and being serviced only to those installations that you have checked server-side for valid license key. Associate the license key to some form of unique identifier of the hardware the app is running on, and if you check online, have statistics concerning the IPs that make the verification request: if you encounter more IPs trying to verify the same license key, contact the buyer and approve a list of IPs they usually log on from, whilst blacklisting any other until specific request from them, either by mail or by phone.
The most used technique is serial numbers. But your customers will have access to the code, so they will be able to bypass your serial number check, no matter how much work you put into obfuscating it.
However, if you can provide your software as a subscription-based or one-time-payment web application, then people will not be able to do this. Whether this is feasible or not depends on the type of application you're writing.
I would always recommend to build a custom software protection before applying any kind of commercial protector such as a Packer.
In any case just a serial validation and a checksum check are not going to keep crackers away.
I would recommend you to visit my new blog www.anti-reversing.com and take a quick look at the anti-piracy tips & tricks page just to have an idea about what I am talking about.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
Currently all our files are stored on a Windows network drive and with 15 members of staff and 3 external workers, file control is beginning to become a bit of a nightmare. Even though we have a policy in place, people still seem to save file to their PCs, make changes, and copy them back without notifying anyone, send files via email instead of its location, and create folders/structures which only make sense to them.
Consequently on a recent project we found that 3 members of staff were using different versions of the same document and when those 3 people are editors and proof readers, you can probably imagine the problem that ensued in the end.
So we are looking for some nice simple file management apps. MS Sharepoint has been mentioned but we are looking to get away from being tied to a Windows machine, and the cost of setup etc. seems expensive particularly for a non-profit company. Also it seems Sharepoint may be a little over-the-top for our needs.
All we need is something that can fulfill the following:
can be used to store and control files
allow different user access
provide basic versioning
hopefully accessible through a web-browser so our remote workers can access it
We are not keen on SAAS solutions because of the nature of our confidentiality and also because we use these files all day everyday and the internet connection does go down from time to time. We want to be able to install in-house.
Ideally the solution will be FOSS, although we will consider buying software if it meets our needs.
You can try Alfresco:
Alfresco is the Open Source
Alternative for Enterprise Content
Management (ECM) led by John Newton,
founder of Documentum, and John
Powell, former COO of Business
Objects, and is backed by Accel
Partners, Mayfield Fund and SAP
Ventures.
Here has a good howto install it on linux.
The first question you probably need to ask is why the existing Windows file shares aren't working, and people are still saving files to their own computers.
For example, if they're often working outside of the office and can't access the file shares or they need to maintain a working copy, these are problems that can be fixed with SharePoint or other version control/file management software.
However, if they're just not following policy, then it's not going to matter what software you put in its place. Figuring out what problems the users have is going to help you choose the right solution.
Not sure this is the best place for such a question (its a discussio with no write/wrong answer) but anyway
Google apps for business?
http://www.google.com/apps/intl/en/business/index.html
Totally easy, low TOC (OSS is not free in a time sense).
You can share docs (read/write or read only) with external people or just do the old fashioned copy/paste the detail into OpenOffice/Word/iLife whatever and send a copy to them
Wouldn't something like a source control system be useful? SVN for example? admittedly binary files are a problem here, but if you're using a basic format you could convert to rtf or the new document standards used by Office 2007\OpenOffice.
It's worth noting that SharePoint and other variants are used widely for a reason; they do what you need.
Are you trying to avoid Windows Server completely, or just avoid buying Microsoft SharePoint Server?
If you are willing to purchase a Windows Server license you will get a basic version of SharePoint Server called SharePoint Services as part of the package. SharPoint Services allows you to have a powerful document management and collaboration system without having to buy an additional software package. It does include a version control system and you can integrate it with other applications. You can find more information here: Windows SharePoint Services 2.0 Overview.
Another MS provided solution that can handle file management and version control is Microsoft Groove. You can find more information on it here: Microsoft Groove. A great feature of Groove is that it can act as a front-end for Sharepoint (and most likely SharePoint Services) to allow users to more easily interact with the file storage mechanism.
A third option but will be less powerful would be to use your existing network file shares (through Windows or Samba), map the shares to local drives and/or reconfigure their My Documents to point to the network, and turn on Offline Storage. This will allow the users to interact with their documents as if they were local files even when they are offline. There will be a few small issues that you will experience with this route but it would break you from having to use a pure Microsoft solution.
In answer to some of the above questions.
The main reason its not working is because. One person will open a document from the shared drive and save a copy to their pc, which they work on. The changes they make are then not on the shared drive, when they copy it back, which everyone does the changes they have made overwrite any anyone else has done, they also dont inform anyone so if someone is working from that document they are now working on an old document. It is a case of getting users into a better frame of mind! But we feel software may help that, plus our external workers do not have access to the internal drive at present.
We have a number of servers, only one is windows and so we want to get away from using that windows server and have all linux servers for ease of management. Any MS product will require we run a dedicated MS machine!!
Local drives mapped is not really a good option as many people work out of the office and so wont be on the network to contribute, plus the file structure would probably not allow it.
It does seem that a MS solution might be the only one, i was just hoping there were some good alternatives available which were also a little simpler.
thnkx
A standard sharepoint document library, with versioning turned on, and checkin/checkout required, would meet your needs. Like previously posted, WSS comes free with Windows Server.