Results 1 to 20 of 20

Thread: General question on security

  1. #1

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    General question on security

    As a developer, one of the most stressful thing you have to worry about is security. How do ya'll deal with security? Whether it be an ASP.NET application or VB.NET application.

    All I know is hashing passwords, and preventing SQL injections. What other precautions can be taken to make your program hard to break into?

    What do you people do in order to ensure your programs is secure in order to prevent people from tampering with your program. Say for example, I have a VB.NET application that interacts with an web API. Say, to register you would send a POST request to the API which does everything server side. How could you protect that?

    I'd like to be lectured on topic.
    If you find my contributions helpful then rate them.

  2. #2
    Frenzied Member
    Join Date
    May 2014
    Location
    Central Europe
    Posts
    1,286

    Re: General question on security

    first question: what is the surrounding?

    if your software is only used by specialized companies in their secured network then it is completely different to a scenario where your software is used by thousands and your service is visible in the internet.

    i am more familiar with the first szenario. some rules i recall:
    .) never store a password anywhere
    .) if you got to store a password, then encrypt it to the best you can
    .) do as much as possible tied to the domain login, i.e. set permissions on shares, db etc

    basically you cannot 100% protect against criminals. if you can trust your users (which should be the case with employees/partners) then make sure it is protected to a degree that someone really needs to put up quite some criminal energy to break in.

    ok, if you work for CIA,NSA,KGB etc. that might all not apply...

  3. #3
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    9,675

    Re: General question on security

    Considering that this is not VB.Net specific, but rather security in general... I've moved the thread to the General Developer Forum.

  4. #4
    PowerPoster
    Join Date
    Feb 2006
    Posts
    21,425

    Re: General question on security

    Hard to know where to begin without defining what you are trying to prevent. You might be trying to prevent simple program copying without paying. You might be trying to limit usage.

    By "usage" I'm thinking of software you offer as a standalone program used manually for free vs. core logic and data that you make available as a DLL and encrypted data that you charge money for. Lots of people go to extremes to try to hijack the free program to use it instead of paying for the DLL and/or proprietary data. Or maybe you have a time-limited trialware product to protect.

    Another category is server-side code that you need to protect from outside attack (general mischief, denial of service, extracting sensitive data, and so on). Perhaps related might be protecting information passed between clients and servers across networks.


    I covered some of Microsoft's recommendations in [VB6] Harden Your Applications Against Hijacking, which has links to some Microsoft resources about this for compiled languages. Those are things you can do in addition to the obvious such as protecting passwords and validating inputs.

    Most of it doesn't apply to .Net though. Where it might apply it doesn't buy you much. Even when obfuscated p-code, IL, bytecode... whatever you want to call it... is generally far more trivial to decompile into readable source code than optimized native code is. Once the hacker has that it becomes easy to just look for security measures in the code and patch around them.

    Code signing was meant to help with that, since altered code will break the signature hash. But it never became practical to require signed code to run a program, so the hacker can just strip the signature out anyway.

    Basically this topic probably is specific to .Net unless you can rule it out as inherently insecure and move on. If not you can limit the discussion to obfuscators, password protection, input validation, and just accept the limited protection that can be achieved.

  5. #5

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by dday9 View Post
    Considering that this is not VB.Net specific, but rather security in general... I've moved the thread to the General Developer Forum.
    Yeah sorry about that, thanks though.
    If you find my contributions helpful then rate them.

  6. #6

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by digitalShaman View Post
    first question: what is the surrounding?

    if your software is only used by specialized companies in their secured network then it is completely different to a scenario where your software is used by thousands and your service is visible in the internet.

    i am more familiar with the first szenario. some rules i recall:
    .) never store a password anywhere
    .) if you got to store a password, then encrypt it to the best you can
    .) do as much as possible tied to the domain login, i.e. set permissions on shares, db etc

    basically you cannot 100% protect against criminals. if you can trust your users (which should be the case with employees/partners) then make sure it is protected to a degree that someone really needs to put up quite some criminal energy to break in.

    ok, if you work for CIA,NSA,KGB etc. that might all not apply...
    I meant just in general. but you're right, I need to be more specific. What I mean is just the whole security scene. You suggested never to store passwords? Where should I then store it?
    If you find my contributions helpful then rate them.

  7. #7

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by dilettante View Post
    Hard to know where to begin without defining what you are trying to prevent. You might be trying to prevent simple program copying without paying. You might be trying to limit usage.

    By "usage" I'm thinking of software you offer as a standalone program used manually for free vs. core logic and data that you make available as a DLL and encrypted data that you charge money for. Lots of people go to extremes to try to hijack the free program to use it instead of paying for the DLL and/or proprietary data. Or maybe you have a time-limited trialware product to protect.

    Another category is server-side code that you need to protect from outside attack (general mischief, denial of service, extracting sensitive data, and so on). Perhaps related might be protecting information passed between clients and servers across networks.


    I covered some of Microsoft's recommendations in [VB6] Harden Your Applications Against Hijacking, which has links to some Microsoft resources about this for compiled languages. Those are things you can do in addition to the obvious such as protecting passwords and validating inputs.

    Most of it doesn't apply to .Net though. Where it might apply it doesn't buy you much. Even when obfuscated p-code, IL, bytecode... whatever you want to call it... is generally far more trivial to decompile into readable source code than optimized native code is. Once the hacker has that it becomes easy to just look for security measures in the code and patch around them.

    Code signing was meant to help with that, since altered code will break the signature hash. But it never became practical to require signed code to run a program, so the hacker can just strip the signature out anyway.

    Basically this topic probably is specific to .Net unless you can rule it out as inherently insecure and move on. If not you can limit the discussion to obfuscators, password protection, input validation, and just accept the limited protection that can be achieved.
    Ahh I see. I'll definitely take a look into your thread and read up on it. Seems interesting.

    Thanks for your post though, I'll read it again soon because it's a bit much to digest atm because I'm busy.
    If you find my contributions helpful then rate them.

  8. #8
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,529

    Re: General question on security

    It really does depend on your scene and your users. digitalShaman said that employees can be trusted however I am going to say that no user can be trusted. It might not be that users are malicious, but they might just be curious and break something on accident.

    Depending on what type of business this application is for and the type of application it is, people may be going a long way to penetrate your system. That temporary janitor that they just hired who has keys to every room in the building and cleans when no one is there; he might be the guy who is going to find the vulnerabilities in your system and give them to his boss.

  9. #9
    Superbly Moderated NeedSomeAnswers's Avatar
    Join Date
    Jun 2002
    Location
    Manchester uk
    Posts
    2,623

    Re: General question on security

    So at the risk of repeating some stuff already said;

    The things i do from a security point of view depending on the need of the project

    1, Encryption ( for passwords ). Encrypt your password and then store in the database and then encrypt the pass entered by the user and compare.

    You suggested never to store passwords? Where should I then store it?
    I am fairly sure they meant never store passwords in plain text anywhere, only store the hashed value.

    2, Put your business logic on the server behind web services

    3, Restrict permission on database users and database objects, also use Stored Procedure for everything and only give users access to execute those stored procedures. This means that users have no access to actually change your tables or any other objects on the db directly, they can only call your stored procs.

    4, After that its mainly hardware considerations, if your creating a web app that is going to be on the Internet then you will probably want to protect your internal network through routing, domain permissions, and maybe using a DMZ.
    Please Mark your Thread "Resolved", if the query is solved & Rate those who have helped you



  10. #10
    Superbly Moderated NeedSomeAnswers's Avatar
    Join Date
    Jun 2002
    Location
    Manchester uk
    Posts
    2,623

    Re: General question on security

    HTTPS how did i forget that, read up on HTTPS

    Also SSL - see this thread

    And the newer TLS which is what MicroSoft uses for Office 365
    Please Mark your Thread "Resolved", if the query is solved & Rate those who have helped you



  11. #11
    PowerPoster techgnome's Avatar
    Join Date
    May 2002
    Posts
    32,945

    Re: General question on security

    Layers... that's pretty much the key... two things: Layers and "Trust but verify".

    Sounds a bit corney, but this is how our system works. In order to use it, you have to be logged in. Even when you are logged in, when you start the app, we'll trust that you're you, but we'll verify it by asking you for your network password (it's AD-based) (for all we know you're the janitor who found the computer on and unlocked), even once you get in, EVERYTIME a resource is requested, we check for your access levels on that resource to make sure you're supposed to have access.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  12. #12

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by NeedSomeAnswers View Post
    So at the risk of repeating some stuff already said;

    The things i do from a security point of view depending on the need of the project

    1, Encryption ( for passwords ). Encrypt your password and then store in the database and then encrypt the pass entered by the user and compare.



    I am fairly sure they meant never store passwords in plain text anywhere, only store the hashed value.

    2, Put your business logic on the server behind web services

    3, Restrict permission on database users and database objects, also use Stored Procedure for everything and only give users access to execute those stored procedures. This means that users have no access to actually change your tables or any other objects on the db directly, they can only call your stored procs.

    4, After that its mainly hardware considerations, if your creating a web app that is going to be on the Internet then you will probably want to protect your internal network through routing, domain permissions, and maybe using a DMZ.
    For number 3. Do you mean having procedures that user uses to interact with your database? For example, you have a procedure called
    GetUserInformation() whereby you enter the userId of the user and the function will return the users details in the form of an object? If so then good because that is what I usually do.

    And I have never really look into HTTPS and SSL, mainly because I have never really developed any real big time applications, I normally just develop apps on .NET that don't really need a web server. I mainly create little applications for fun or for other people. Much like freelance programming, I'm still a student you see. But learning these things is really beneficial because soon I plan to expand myself.

    Oh yeah, what I usually do now is use REST APIs... I think... I'm still confused as to how to USE them properly. What I usually do is access the API resource from the VB.NET application. So for example, to login via the API.

    you would send a POST request to login and read the JSON response, if you want to get information you would just submit a GET HTTP request and read the response. Is this good practice? Could I make it more secure by using that HTTPS like you said? If so how would that really make it more secure.
    If you find my contributions helpful then rate them.

  13. #13

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by techgnome View Post
    Layers... that's pretty much the key... two things: Layers and "Trust but verify".

    Sounds a bit corney, but this is how our system works. In order to use it, you have to be logged in. Even when you are logged in, when you start the app, we'll trust that you're you, but we'll verify it by asking you for your network password (it's AD-based) (for all we know you're the janitor who found the computer on and unlocked), even once you get in, EVERYTIME a resource is requested, we check for your access levels on that resource to make sure you're supposed to have access.

    -tg
    I see. I hold the same beliefs. Suspect everyone. Thanks though.
    If you find my contributions helpful then rate them.

  14. #14
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,529

    Re: General question on security

    Quote Originally Posted by techgnome View Post
    Layers... that's pretty much the key... two things: Layers and "Trust but verify".

    Sounds a bit corney, but this is how our system works. In order to use it, you have to be logged in. Even when you are logged in, when you start the app, we'll trust that you're you, but we'll verify it by asking you for your network password (it's AD-based) (for all we know you're the janitor who found the computer on and unlocked), even once you get in, EVERYTIME a resource is requested, we check for your access levels on that resource to make sure you're supposed to have access.

    -tg
    For my web apps, all the permissions are granular. Every function of every module has a permission of either true or false. On every page load (and form submit) it checks to make sure they are logged in and allowed to access that function. It also has methods in place to ensure that there is no cross site scripting for form submits.

    Our entire network is AD based but my web app is PHP/MySQL running on a windows machine. I have been trying to get LDAP authentication configured, but have been unsuccessful.

    Also, this entire web app is only accessible from within our intranet.
    My usual boring signature: Something

  15. #15
    Superbly Moderated NeedSomeAnswers's Avatar
    Join Date
    Jun 2002
    Location
    Manchester uk
    Posts
    2,623

    Re: General question on security

    For number 3. Do you mean having procedures that user uses to interact with your database? For example, you have a procedure called
    GetUserInformation() whereby you enter the userId of the user and the function will return the users details in the form of an object? If so then good because that is what I usually do.
    Yep exactly, but did you know you can set the permission on those procedures?

    You can actually Script your permissions as part of the Stored Procedure Script OR you can add them later in SSMS.

    Defining User Permissions in SQL server (What the User can and cant do in your database) is another layer of security.

    And I have never really look into HTTPS and SSL, mainly because I have never really developed any real big time applications, I normally just develop apps on .NET that don't really need a web server. I mainly create little applications for fun or for other people. Much like freelance programming, I'm still a student you see. But learning these things is really beneficial because soon I plan to expand myself.
    I really wouldnt' worry about it to much right now HTTPS is over kill for many apps, you would normally only use it when you have some sort of booking system or payment transactions as part of your site. It is however a good thing to learn about so reading up on it would be a good thing.

    Oh yeah, what I usually do now is use REST APIs... I think... I'm still confused as to how to USE them properly. What I usually do is access the API resource from the VB.NET application. So for example, to login via the API.

    you would send a POST request to login and read the JSON response, if you want to get information you would just submit a GET HTTP request and read the response. Is this good practice?
    Yep that sounds pretty much right, although you do a GET request to read the JSON and a POST to send data the other way.

    Could I make it more secure by using that HTTPS like you said? If so how would that really make it more secure.
    Yes it would BUT it is more complicated and not needed in every situation. It all depends on the requirements and on how secure the data needs to be.

    As i said earlier though if you start adding the ability to make payments onto a website then you need to be using it.
    Please Mark your Thread "Resolved", if the query is solved & Rate those who have helped you



  16. #16

    Thread Starter
    Fanatic Member Toph's Avatar
    Join Date
    Oct 2014
    Posts
    655

    Re: General question on security

    Quote Originally Posted by NeedSomeAnswers View Post
    Yep exactly, but did you know you can set the permission on those procedures?

    You can actually Script your permissions as part of the Stored Procedure Script OR you can add them later in SSMS.

    Defining User Permissions in SQL server (What the User can and cant do in your database) is another layer of security.



    I really wouldnt' worry about it to much right now HTTPS is over kill for many apps, you would normally only use it when you have some sort of booking system or payment transactions as part of your site. It is however a good thing to learn about so reading up on it would be a good thing.



    Yep that sounds pretty much right, although you do a GET request to read the JSON and a POST to send data the other way.



    Yes it would BUT it is more complicated and not needed in every situation. It all depends on the requirements and on how secure the data needs to be.

    As i said earlier though if you start adding the ability to make payments onto a website then you need to be using it.
    Yeah i got ya. Thanks for answering some of my questions.
    If you find my contributions helpful then rate them.

  17. #17
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    17,882

    Re: General question on security

    In AJAX I always POST.

    GET has the potential to check a cache on client for content that was already loaded - and that's not the way my Ajax web apps work.

    So POST is guaranteed to always call the server - GET is not - do not use GET.

    POST is allowed to change data. POST is allowed to return data. POST has no data limit on return size.

    POST is good for AJAX.

    Other methods do not apply to how AJAX works - DELETE or whatever...

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  18. #18
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: General question on security

    Another aspect of security that has to be answered before applying a 'secure implementation': what are you trying to protect and from whom? If you consider most web security, as an example, you'll see that it seems that they are trying to protect the users from themselves but implement the basic essential security to prevent information theft.

    (A good example is systems which only allow 8 character passwords - thankfully quite few, these days. I'd like to throttle back their car to a maximum of 20 miles per hour because it's 'safer' and see how they like that).
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  19. #19
    PowerPoster techgnome's Avatar
    Join Date
    May 2002
    Posts
    32,945

    Re: General question on security

    Quote Originally Posted by SJWhiteley View Post
    Another aspect of security that has to be answered before applying a 'secure implementation': what are you trying to protect and from whom? If you consider most web security, as an example, you'll see that it seems that they are trying to protect the users from themselves but implement the basic essential security to prevent information theft.

    (A good example is systems which only allow 8 character passwords - thankfully quite few, these days. I'd like to throttle back their car to a maximum of 20 miles per hour because it's 'safer' and see how they like that).
    Hear! Hear! I'll even supply the wire cutters and duct tape to make it possible!

    This also brings up a point that was touched on previously but I don't think any one really said it out loud and drove the point home. Toph has asked a couple times about https/ssl and whether that provides security. It does and it doesn't. When it comes to IT systems (actually, just about any kind of system, IT or not), there's basically three kinds of security:
    # Physical security - controlling physical access to the system. Can they get into the building, the floor, the room, etc. Can they get their hands on a terminal or PC that will gain them further access. This is probably the one that's most out of our hands and isn't usually much of a factor in definign security.
    # Process security - This has been the larger part of the discussion in this thread. Assuming the user does have the proper physical security access, do they they have access to the system, either in part or in whole. This is the asking for credentials at every twist and turn, the whole trust but verify. Forcing them to enter user & password info when needed. And this has nothing to do with transmission security (below).
    # Transmission security - this is where ssl/https and other data encryption come into play. Even if the user has the proper security to a form, there's still the transmission of the data. It has to get from point a to point b. Sometimes you need to encrypt the data before transmission to protect the data itself. These cases are where the data is sensitive but maybe the process isn't - like credit card processing. The process itself may not need to be protected (any one should be allowed to buy our product) but the customer's CC info IS sensitive and needs to be protected. Hmmm... I guess that leads to another type of security:
    # Data storage security - once you have the data, you need to protect it from prying eyes. Hashing passwords, encrypting CC info, things like that. Permissions on the tables, etc.

    sometimes you care about one and not so much the others, sometimes you care about the others and not the one, sometimes you don't care about any of them, and still other times you care about all of them.

    And it's because of those different security types that I think we're having trouble answering toph's question directly. It's too broad of a question.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  20. #20
    Superbly Moderated NeedSomeAnswers's Avatar
    Join Date
    Jun 2002
    Location
    Manchester uk
    Posts
    2,623

    Re: General question on security

    And it's because of those different security types that I think we're having trouble answering toph's question directly. It's too broad of a question.
    I think it thrown up some interesting posts, however its a fair point.

    Desktop and Web App security differ and database security can easily be its own topic. I am not sure a Developer needs to be bothered about Physical security unless the are also moonlighting as a bouncer!
    Please Mark your Thread "Resolved", if the query is solved & Rate those who have helped you



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width