Tagged Questions

The tag has no wiki summary.

learn more… | top users | synonyms

2
votes
2answers
40 views

Making sure database connection information is secured

This is the first time that I am working on a web application. I was going through the question What should every programmer know about web development? and noticed one thing that I knew nothing of: ...
2
votes
1answer
57 views

Implementing RSA into an Android Messaging App

I am implementing RSA encryption on a Android App so that I can send SMS message securely, each phone will have its own public and private key generated by the App. But am stuck deciding the best ...
-7
votes
0answers
94 views

In C, how do you create secure integer variables to be used for conditions and loops? [closed]

I heard that you can use typedefs and structs to make secure variables, but I am not sure how?
0
votes
4answers
132 views

How does using #define for loop and condition bounds in C increase security?

My program uses the following define statements: #define LOWEST_PATIENT_ID 10000 #define HIGHEST_PATIENT_ID 99999 #define LOWEST_CRITICAL_STATUS 1 #define HIGHEST_CRITICAL_STATUS 100 used in this ...
2
votes
4answers
93 views

How to not take risks with new collaborators?

My team is going to add new team members and my manager doesn't want to take any risks. I don't think it's a large problem but my manager is concerned that a new programmer would sabotage and ...
-1
votes
1answer
122 views

python login form vulnerability?

<HTML> <HEAD><TITLE>Login Page</TITLE></HEAD> <BODY> <CENTER> <FORM method="POST" action="http://yourserver/cgi-bin/login.py"> <paragraph> Enter ...
-3
votes
0answers
63 views

php with C++ login form? [closed]

I would like to know if its possible to create a login form with a mix of php and C++? (as I am trying to develop a hacking challenge/wargame, in which the C++ code will be bugged out, and evidently ...
0
votes
1answer
37 views

Secure storage of customer Info

Have any of you got to the point where you need to store a lot of info about the customers setup, some of which is best to keep encrypted (passwords and things). I find my self having a lot of this ...
1
vote
0answers
12 views

What technology allows the “stripping” a DOC, PDF, XLS, etc of non-data features [migrated]

For security reasons, I need to reduce a document to a common format, thereby removing any Macros, metadata, cleaning embedded images, and reducing risks the attachment may pose. Even though the links ...
4
votes
2answers
101 views

Would it be hard to screen form submissions (e.g., comments) for non-words/non-sentences?

I've been thinking a lot lately about the need for better form security, and good ways to accomplish that. We currently use captcha codes to screen for bots, but that's annoying to users and may not ...
-6
votes
1answer
73 views

Security Programming Jobs? Where to Start? [closed]

So I've been out of College for about a Year, working a Comfy Firmware Job. I enjoy it but Network Security is something I've always been interested in (or white-hat hacking or w/e you wanna call it). ...
14
votes
4answers
381 views

Should internal code be shared with non-developers in an organisation?

Where I work, we have a lot of developers and an awful lot of code running our proprietary applications used by staff & customers alike. We also have a lot of smart support staff that like to ...
7
votes
1answer
62 views

How does one request / handle personal or financial information?

I would like to create a budget app for Android. Obviously, to be competitive, I would need to allow users to get data from their bank. For [huge] security reasons, this stuff is not just freely given ...
4
votes
2answers
273 views

What should I do when I find sensitive information in version control?

Today I found what looked to be my supervisor's password in some code in version control. The password is to a database. He is very experienced and has explained before how to avoid having passwords ...
0
votes
1answer
28 views

Securely expose WebService from Enterprise Network to Internet Client

Are there any standards (or certified solutions) to expose a (Web-)Service to the internet from a very security-sensitive network (e.g. Banking/Finance)? I am not specifically talking about WS-* or ...
1
vote
1answer
47 views

Implementing oAuth 2 server

Do you have any pointers on how one should go about implementing the oAuth2 protocol itself? That is, the server side or the "provider" facet of OAuth2? If you have tried to implement (a part of) ...
4
votes
2answers
114 views

Is a traditional client app which connects directly to a database a good idea?

After using Django's excellent admin interface, I was pondering creating a similar system which wasn't as tied to an ORM. Now, while considering this, I thought that overcoming webapps limitations ...
1
vote
1answer
211 views

Is there somewhere I can post code used to hack my site? [closed]

I left a bit of a door open recently on my site. Someone tried to post PHP code to a CMS page editing module, but it wasn't executed. I have this code and was wondering if there is somewhere I should ...
2
votes
3answers
78 views

Authentication for 'participants' vs 'users'

I'm building a site that lets users schedule interviews/conferences with third parties and I'm wondering what's the best way to provide security around the participant experience while providing the ...
6
votes
2answers
233 views

Methods to prevent programmers from capturing user entered data?

Say I'm developing a web application with a strong focus on security. What measures can be taken to prevent those who work on the application (programmers, dbas) from capturing user entered values ...
2
votes
2answers
115 views

Resources for C/C++ security (whitehat) hacking

I'm currently working as a C++ developer in a software security department, but not as a researcher or whitehat hacker. Security is an interest of mine, mainly in the areas where I can exploit code or ...
1
vote
2answers
82 views

Parent and child permission schemes

Which approach makes most sense to use, the destructive one or the non-destructive one? Does anyone have real-world experience with one, both or even a different approach? Model A permission scheme ...
2
votes
3answers
116 views

Are buffer overflows no longer a threat these days?

After following buffer overflow examples and reading on them in various books/websites it seems there are lots of preventative measures in place to protect against them these days. ASLR, /GS flag ...
2
votes
2answers
131 views

How to Document the Security/Encryption Code of an Application

I am working on an application that I developed a security layer for. It uses the hardware ID of the hard drive, MAC address and another hardware serial key, to lock the software a particular piece of ...
1
vote
2answers
121 views

Why special characters are deemed risky in URL and query strings?

From a security perspective, the special characters like '&' or <b> are a big no no in URLs and query strings. I could find the articles that explained the ways to bypass this restriction, ...
-3
votes
1answer
47 views

Web vs Desktop Application Security [closed]

There seems to be a common opinion that desktop applications are more secure than web applications. This makes no sense to me, every second PC I look at it loaded with viruses and crud where web ...
1
vote
5answers
157 views

Computer security expert using pre-made tools or own?

As a digital security consultant when is it 'ok' to use tools someone else made (dumb to reinvent the wheel, right?) and when should I make my own?
0
votes
1answer
111 views

How does a script download a Youtube Video?

Knowing that Youtube uses Adobe Flash which is compiled server side to deliver its video content, I am wondering how its possible to find a video's file name & location on the server? This is a ...
16
votes
4answers
686 views

Programmers' concerns about export restrictions from the United States

Which aspects do I need to consider when designing and publishing software that must meet the US export restrictions for cryptographic software? Wikipedia says that there are various categories which ...
4
votes
5answers
471 views

Why do certain sites prevent spaces in passwords?

It seems less common with newer websites, but many websites I need an account on (like for paying bills, etc.) prevent me from creating a password with spaces in it. This only makes things more ...
1
vote
1answer
97 views

How to do a login page for third party service without letting them sign on?

We have a unique situation (at least for me, first time seeing this). We have a web form where accountants can fill in requests and that part is taken care of. But after their login we redirect them ...
3
votes
4answers
250 views

Development of a bot/web crawler detection system

I am trying to build a system for my company which wants to check for unusual/abusive pattern of users (mainly web scrapers). Currently the logic I have implemented parses the http access logs and ...
0
votes
1answer
81 views

When should I invalidate a cache of a user's credentials?

We develop a Windows client application that locally caches a user's credentials for connecting to our server application using the Windows Credential Management API. Our caching logic works in the ...
2
votes
3answers
196 views

Did I understand the website “autologin” feature right?

I'm developing an authentication library (*) for a website and I realized that maybe I'm not completely understanding what an "autologin" feature is, and how to develop it. While gathering infos and ...
1
vote
1answer
74 views

How to create a donation software

I have a requirement to create a donation software for a project. Does anyone know how KickStarter designed theirs? What are the security elements involved? How do I create the credit card ...
2
votes
7answers
180 views

What's a good way to prepare for this course titled “Programming Language Security”?

I have a course with the following description: The purpose of this course is the study of programming language security features and languages designed to support it explicitly. Static and ...
1
vote
2answers
163 views

A good tool for browser automation/client-side Web scripting [closed]

I'm interested in adopting a tool/scripting language to automate some daily tasks connected with fighting forum spammers. A brief overview of these tasks: analyze new registrations and posts on a ...
4
votes
2answers
132 views

How to protect a peer-to-peer network from inappropriate content?

I’m developing a simple peer-to-peer app in .Net which should enable users to share specific content (text and picture files). As I've learned with my last question, inappropriate content can ...
1
vote
1answer
115 views

Security vulnerability and nda's [closed]

I want to propose a situation and gain insight from the communities thoughts. A customer, call them Customer X has a contract with a vendor, Vendor Y to provide an application and services. ...
11
votes
3answers
365 views

Is it a good practice set connection strings in a web config?

Recently I have a discussion with some of my colleagues at my work because they said that it's better have in a .DLL a string connection encrypted. And I said why just don't use the string connection ...
4
votes
1answer
221 views

What was the earliest use of cryptographic tokens in URLs?

I was wondering: it now seems to be more and more common to see people/framework putting cryptographic tokens in the URLs their webapps are generating (to prevent quite effectively against quite some ...
23
votes
11answers
1k views

Should I accept to write unsecure code if my employer requests me to do so?

My employer asked me to implement a feature that would require storing passwords in clear text in a database (or using an obscure encrypt/decrypt function stored in a binary, which is a bit better, ...
30
votes
10answers
3k views

Am I responsible if a client's site is hacked 6 months later?

I built a site for a client (a Joomla! web application with standard security features), and the contract included 6 months of support. The support period ended. The site has been hacked, and getting ...
4
votes
8answers
390 views

How do I convince the IT department to relax Antivirus settings on my PC [closed]

I've been given a relatively decent new laptop at Work. I really thought it would help speeding development up, especially build times and the like. The problem is that our company runs Mcafee ...
3
votes
1answer
92 views

What procedures or audits should be used to assess the security of a software system?

Are there any standardised security procedures or auditing techniques that can be used to assess the security of a piece of software? I'm specifically interested in auditing software written in Java, ...
6
votes
6answers
651 views

How can I prevent users from creating multiple accounts on a web site?

I'm building a site that needs to guarantee user reputation scores are accurate by preventing users from creating more than one account, at the cost of decreased user signups. So far, the only ...
4
votes
2answers
131 views

Best practice regarding security in mobile applications

A friend asked me recently about mobile applications and the security surrounding them. As he wishes to make a mobile app that would handle very secure information such as credit card numbers, I was ...
5
votes
3answers
104 views

VPN or TLSv1 for securing a programs protocol from field device to mainframe

I am working on a product that requires devices to exists anywhere in the world hooked up to the internet though cell modems or on WLAN lines which communicates to a server(s) that exists elsewhere in ...
7
votes
8answers
496 views

What is a reasonable and secure password requirement for user registration?

This is the password policy I just got from UPS (just for package status checking): Your password must be between 8 and 26 characters long. It must contain at least three of the following ...
3
votes
5answers
183 views

Secure way to remember usernames and passwords [closed]

Maybe it was already discussed. After browsing through some alike questions here about password management, I still would like to ask this question. If there are 100 sites which require username ...

1 2 3 4