Search Results

Search found 8253 results on 331 pages for 'secure coding'.

Page 37/331 | < Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44 | Next Page >

Web Services: Secure? Asp.net

- by Jacques

Hey there, Something I can't wrap my head around is how secure web services are. For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services. I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message. I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms. Thanks Jacques

Read the article
How to secure licensekey generation

- by Jakob Gade

Scenario, simplified for brevity: A developer creates an application for a customer. The customer sells this app to end-users. The app requires a license key to run, and this key is generated by the customer for each end-user with a simple tool created by the developer. The license key contains an expiry date for the license and is encrypted so the end-user can’t tamper with it. The problem here is that the developer (or anybody who has a copy of the license key generator) can easily create valid license keys. Should this generator fall into the wrong hands, it could spell disaster for the customers business. Ideally, the customer would have to use a password to create new license keys. And this password would be unknown to the developer, and somehow baked into the decryption algorithm in the application so it will fail if an attempt to use an unauthorized key is made. How would you implement a solution for this problem that is both transparent and secure?

Read the article
How to secure Java webservices with login and session handling

- by hubertg

I'd like to secure my (Java metro) webservice with a login. Here's how I'm planning to do that: Steps required when calling a webservice method are: call login(user,pwd), receive a session token 1.1 remember the token call servicemethod (token, arg1, arg2...) webservice checks if the token is known, if not throw exception otherwise proceed logout or timeout after x time periods of inactivity my questions: 1. what's your opinion on this approach? does it make sense? 2. are there any libraries which take the burden of writing a session handling (maybe with database persistence to survive app restarts) (the solution should be simple and easily usable with Java and .NET clients) thanks!

Read the article
How to secure connection between PHP and Android

- by Elad Cohen

I am developing an application for the Android that requires a connection with PHP pages in order to add sensitive data to a database that will affect the application. Since it's very easy to reverse engineer an android app, one can simply find the url where the data is sent to and manipulate it. I thought about creating a registration based on IMEI, but one can still able to manipulate it for his malicious purposes. I have also checked OAuth but I didn't really understand how it works and if it can help in my condition. What can I do to fully secure my application? Thanks in advance! EDIT: By the way, what I am mostly trying to achieve here is to make sure the requests are being sent from an Android and not from any other device.

Read the article
Secure login on your domain with Google App Engine

- by mhost

Hi, We are starting a very large web based service project. We are trying to decide what hosting environment to use. We would really like to use Google App Engine for scalability reasons and to eliminate the need to deal with servers ourselves. Secure logins/registrations is very important to us, as well as using our own domain. Our target audience is not very computer savvy. For this reason, we don't want to have the users have to sign up with OpenID as this can't be done within our site. We also do not want to force our customers to sign up with Google. As far as I can see, I am out of luck. I am hoping to have a definite answer to this question. Can I have an encrypted login to our site accessed via our domain, without having to send the customers to another site for the login (OpenID/Google). Thanks.

Read the article
How to secure authorization of methods

- by Kurresmack

I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

Read the article
Windows secure pinned website tile

- by Stijn de Voogd

I'm currently working on a pinned website tile for my website and instead of using a static XML file i'm linking the tile to a web api that returns user specific XML. My question is: Is it possible to secure this tile so that a user needs to be logged in before the data loads? The pinned website livetile doesn't send any security request headers/ cookies: - Http: Request, GET /v1/livetile/firsttile Command: GET + URI: /v1/livetile/firsttile ProtocolVersion: HTTP/1.1 UserAgent: Microsoft-WNS/6.3 Host: 192.168.14.109:2089 Cache-Control: no-cache HeaderEnd: CRLF Sidenote: Notice how it's not even sending an accept header even though it only wants xml. Info: http://msdn.microsoft.com/en-US/library/ie/dn455106 http://msdn.microsoft.com/en-us/library/ie/hh761491.aspx# Thanks in advance!

Read the article
How do I secure all the admin actions in all controllers in cakePHP

- by Gaurav Sharma

Hello Everyone, I am developing an application using cakePHP v 1.3 on windows (XAMPP). Most of the controllers are baked with the admin routing enabled. I want to secure the admin actions of every controller with a login page. How can I do this without repeating much ? One solution to the problem is that "I check for login information in the admin_index action of every controller" and then show the login screen accordingly. Is there any better way of doing this ? The detault URL to admin (http://localhost/app/admin) is pointing to the index_admin action of users controller (created a new route for this in routes.php file) Thanks

Read the article
Best Pratice to Implement Secure Remember Me

- by Yan Cheng CHEOK

Sometimes, I came across certain web development framework which doesn't provide authentication feature as in Authenication ASP.NET I was wondering what is the security measure needs to be considered, when implementing "Remember Me" login feature, by hand coding? Here are the things I usually did. 1) Store the user name in cookie. The user name are not encrypted. 2) Store a secret key in cookie. The secret key is generated using one way function based on user name. The server will verify secret key against user name, to ensure this user name is not being changed. 3) Use HttpOnly in cookie. http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html Any things else I could miss out, which could possible lead a security hole.

Read the article
iphone: is there any secure way to establish 2-way SSL from an application

- by pmilosev

Hi I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server. However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue). From what I have found so far the only way that the app would be able to access the certificate is to provide it pre-bundeled with the application itself, or expose an URL from which it could be fetched (http://stackoverflow.com/questions/2037172/iphone-app-with-ssl-client-certs). The thing is that neither of this two ways prevent some third party to get the certificate, which if accepted as a risk eliminates the need for 2-way SSL (since anyone can have the client certificate). The whole security protocol should look like this: - HTTPS 2-way SSL to authenticate the application - OTP (token) based user registration (client side key pair generated at this step) - SOAP / WSS XML-Signature (requests signed by the keys generated earlier) Any idea on how to establish the first layer of security (HTTPS) ? regards

Read the article
How secure is my website?

- by Doug

As a beginning web developer, I try my best to clean up all the user inputs through checks and what not. However, today, I found out my website was hacked (I'll share their website on request) and it really made my wonder how did they do it. I'm in the process of getting my website back together. What should I do to prevent these things? Is there people I should talk to and ask how secure my website is? What can I do to to keep my website safe?

Read the article
How to secure authiorization of methods

- by Kurresmack

I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

Read the article
How to load secure S3 images into Flex with temporary URLs

- by Yarin

I have some secure images on S3 that I need to load into Flex. I was expecting to be able to do this using signed temporary URLs but can't get it working. I know the URLs I'm generating are correct, because they load fine in my browsers' address bar. Moreover, Flex has no problem loading my images with a non-signed url when they are public, but as soon as I try signing the urls all the images fail, whether public or not. I've tried image.source = signedURL, image.load(signedURL), etc. If I try loading the file with URLLoader/URLStream, it looks like I'm getting the data OK, but I'm not sure how to translate those results to an Image control. Is this just an issue with the Image control not being able to recognize signed urls? Do I have to load the image from a byte array? What would that look like?

Read the article
Spring security oauth2 provider to secure non-spring api

- by user1241320

I'm trying to set up an oauth 2.0 provider that should "secure" our restful api using spring-security-oauth. Being a 'spring fan' i thought it could be the quicker solution. main point is this restful thingie is not a spring based webapp. boss says the oauth provider should be a separate application, but i'm starting to doubt that. (got this impression by reading spring-security-oauth) i'm also new here so haven't really got my hands into this other (jersey-powered) restul api (core of our business). any help/hint will be much appreciated.

Read the article
Is it secure to use malloc?

- by Felix Guerrero

Somebody told me that allocating with malloc is not secure anymore, I'm not a C/C++ guru but I've made some stuff with malloc and C/C++. Does anyone know about what risks I'm into? Quoting him: [..] But indeed the weak point of C/C++ it is the security, and the Achilles' heel is indeed malloc and the abuse of pointers. C/C++ it is a well known insecure language. [..] There would be few apps in what I would not recommend to continue programming with C++."

Read the article
htpasswd, secure specific files in zend framework

- by AKFourSeven

Hi I have been bashing my head against the wall with this riddle and cannot find the way to solve this. I would like to secure couple of files to restrict access to certain pages but my attempts so far are unsuccessful. I do not want to use Zend Auth as it is a very small web site doing simple stuff. Here is a sample of what I have done: AuthUserFile /path/to/my/.htpasswd AuthName "Admin Restriction" AuthType Basic <Files file.phtml> require valid-user </Files> Is there any way to achieve this ?

Read the article
Most frustrating programming style you've encountered

- by JaredPar

When it comes to coding style I'm a pretty relaxed programmer. I'm not firmly dug into a particular coding style. I'd prefer a consistent overall style in a large code base but I'm not going to sweat every little detail of how the code is formatted. Still there are some coding styles that drive me crazy. No matter what I can't look at examples of these styles without reaching for a VIM buffer to "fix" the "problem". I can't help it. It's not even wrong, I just can't look at it for some reason. For instance the following comment style almost completely prevents me from actually being able to read the code. if (someConditional) // Comment goes here { other code } What's the most frustrating style you've encountered?

Read the article
Writing secure java code with RMI

- by jtnire

Hi Everyone, This may seem like a very broad question, but any help is appreciated. I have a client/server solution written in java which uses the Cajo project (which uses RMI). I just want to try and make my solution as secure as possible, given the sensitive data that will be transferred between server and client. So far, my ideas are to make all my classes "final" as well as throw a "non-serializable" exception for all my classes in the server (except for the object bound in the RMI registry, and any objects that actually do need to be transferred of course). Can anyone think of any other ideas? I know that someone could write a malicious client - this isn't hard to do as you can find out the remote object's API using reflection. However is there anything I can do to protect a malicious client access classes/objects within the server that they are not supposed to access? Many Thanks

Read the article
Secure password transmission over unencrypted tcp/ip

- by academicRobot

I'm in the designing stages of a custom tcp/ip protocol for mobile client-server communication. When not required (data is not sensitive), I'd like to avoid using SSL for overhead reasons (both in handshake latency and conserving cycles). My question is, what is the best practices way of transmitting authentication information over an unencrypted connection? Currently, I'm liking SRP or J-PAKE (they generate secure session tokens, are hash/salt friendly, and allow kicking into TLS when necessary), which I believe are both implemented in OpenSSL. However, I am a bit wary since I don't see many people using these algorithms for this purpose. Would also appreciate pointers to any materials discussing this topic in general, since I had trouble finding any.

Read the article
Secure messaging using Signed MIME is it reliable?

- by aaronb

We have an automatic reporting and notification system written in .net that sends emails with plain text. We are having to encrypt the messages that we send our clients. The possible implementation approaches we have: Send messages as S/Mime email with attachments. Plain text email with that just contains a link to a web site that will display the message over https. It seems like S/Mime is a simpler solution, as we won't need to create the web application or secure it. Our concern is our interoperability with our clients email clients and more importantly their email filtering software. Has anyone had success or issues deploying a Signed MIME messaging solution?

Read the article
Secure Gmail login on web browser from external Java program

- by Zach Scrivena

Is there a secure way of logging into a Gmail account on a web browser, from an external Java program? I know the following works, but is there a safer alternative? Desktop.getDesktop().browse(new URI( "https://www.google.com/accounts/ServiceLoginAuth?continue=http://mail.google.com/gmail" + "&service=mail&Email=LOGIN&Passwd=PASSWORD&null=Sign+in")); Clarification: The external Java program is GmailAssistant, a Gmail notifier that already uses the IMAP capabilities of JavaMail. I just need a way of allowing the user to access the account directly in a web browser.

Read the article
Secure C# Assemblies from unauthorized Callers

- by Creepy Gnome

Is there any way to secure your assembly down to the class/property & class/method level to prevent the using/calling of them from another assembly that isn't signed by our company? I would like to do this without any requirements on strong naming (like using StrongNameIdentityPermission) and stick with how an assembly is signed. I really do not want to resort to using the InternalsVisibleTo attribute as that is not maintainable in a ever changing software ecosystem. For example: Scenario One Foo.dll is signed by my company and Bar.dll is not signed at all. Foo has Class A Bar has Class B Class A has public method GetSomething() Class B tries to call Foo.A.GetSomething() and is rejected Rejected can be an exception or being ignored in someway Scenario Two Foo.dll is signed by my company and Moo.dll is also signed by my company. Foo has Class A Moo has Class C Class A has public method GetSomething() Class C tries to call Foo.A.GetSomething() and is not rejected

Read the article
What is the most frustrating programming style you've encountered?

- by JaredPar

When it comes to coding style I'm a pretty relaxed programmer. I'm not firmly dug into a particular coding style. I'd prefer a consistent overall style in a large code base but I'm not going to sweat every little detail of how the code is formatted. Still there are some coding styles that drive me crazy. No matter what I can't look at examples of these styles without reaching for a VIM buffer to "fix" the "problem". I can't help it. It's not even wrong, I just can't look at it for some reason. For instance the following comment style almost completely prevents me from actually being able to read the code. if (someConditional) // Comment goes here { other code } What's the most frustrating style you've encountered?

Read the article
Secure Webservice?

- by cam

I'm trying to create a secure webservice (that provides simple database data) with PHP that can be connected to through my Silverlight application. I don't know enough about PHP to be able to see another way to do this. The webservice should only be accessible through the client, and only with the proper username/password. The only two ways I can imagine to do this would be by passing the username/password hash via URL, or use a "hidden form" and do it via POST_. I'm just trying to get past this point, I'm the sole developer on this project and I'm just trying to get past this PHP webservice part so I can get back to being an application programmer :) Normally, I would learn PHP, but I'm on the clock, so I'm just looking for a point in the right direction on how to achieve this!

Read the article
Is this a secure way to structure a mysql_query in PHP

- by Supernovah

I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox. Inside the php, all variables are passed into the query in a string like this. Note, by this stage, $_POST has not been touched. mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . ')); Is that a secure way to make a change?

Read the article

< Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44 | Next Page >