Category: Security

Get news highlights about Oracle’s 33 patches, Azure pricing, OpenAmplify 1.1, Micro Focus’ ReUZE, Mozilla’s Contributions site, and Kalido Connect 2009. Also, learn about the Toughest Developer Puzzle Ever and the 2009 Silverlight Control Builder Contest.

————————————————————————————————-

Oracle puts forth 33 patches

Oracle’s quarterly patch cycle has 33 patches, ZDNet blogger Ryan Naraine reports. This is across Oracle’s entire product line. Still, 10 patches for a “mature” SQL RDBMS product that’s been around for a long time now is quite extreme in my opinion. And five patches for WebLogic? IIS gets something like one a year. Oracle needs to get its act together.

Azure pricing announced

ZDNet blogger Mary Jo Foley published the details about Azure pricing. From reports she links to in her post, it looks like it is marginally less expensive than Amazon’s offering. I think the 99.95% connectivity SLA is a bit weak.

OpenAmplify 1.1 released

OpenAmplify has released version 1.1 of its flagship product. The new version is faster, improves how it scrapes Web pages, and is much better at linking various concepts in the document together.

The Toughest Developer Puzzle Ever is now online

Jeff Blankenburg announced that the Toughest Developer Puzzle Ever is now online. A few months ago, I tried it when there were about 6 or 7 puzzles on the site; the puzzles were definitely entertaining.

2009 Silverlight Control Builder Contest

Page Brooks announced the 2009 Silverlight Control Builder Contest. The prize list is extensive and enticing. Final submission date is September 19, 2009.

Micro Focus’ ReUZE allows migration from mainframes to Windows

Micro Focus announced ReUZE, a system that allows existing mainframe code to be moved to the .NET platform with little to no rewriting required in most cases. This looks like a great option for companies that want to get off of the mainframe platform but have legacy applications that cannot be left behind.

Mozilla makes it easier to contribute to Firefox add-on developers

In a show of support for the add-on developers who have helped make Firefox so popular, Mozilla is testing a new site called Contributions that lets users donate to their favorite add-on developers. It also provides a forum for add-on developers to tell the world a little bit about themselves, why they write add-ons, and so on.

I think that this is a smart move on Mozilla’s part. Add-ons are a major factor in Firefox’s popularity, and it can do nothing but good things to give some support to the otherwise anonymous, unpaid folks who are making those add-ons.

Kalido Connect 2009 announced for October

Kalido has announced that its annual Kalido Connect conference will be held on October 6^th this year. From what I can tell, the conference will be 100% online, which allows participates to attend without the cost of transportation, hotels, etc.

J.Ja

Disclosure of Justin’s industry affiliations: Justin James has a working arrangement with Microsoft to write an article for MSDN Magazine. He also has a contract with Spiceworks to write product buying guides.

—————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

This is a guest post from Dana Gardner of TechRepublic’s sister site ZDNet. You can follow Dana on his ZDNet blog BriefingsDirect, or subscribe to the RSS feed.

Cast Iron Systems and Google have teamed up to overcome one of the biggest hurdles to cloud computing and software as a service (SaaS) in the enterprise - concerns over data security.

Cast Iron for Google Apps, which was announced today, includes the Google Secure Data Connection, enabling the encrypted exchange of data between a company’s enterprise applications and Google’s cloud offerings. This makes it easier for companies to integrate their Google Apps and Google App Engine applications with on-premises and cloud apps.

Cast Iron, Mountain View, Calif., is a SaaS and cloud applications provider, and offers pre-configured connectivity with hundreds of other applications, as well as a library of integration templates with pre-configured gadget data maps. Cast Iron for Google Apps offers a portfolio of deployment options, including integration-as-a-service through Cast Iron Cloud, and on-premise physical and virtual appliances.

In a recent survey, IT executives displayed considerable hesitancy in switching to cloud-based applications. A main reason for holding back, cited by many of these executives, was the concern over data security.

Not everyone is squeamish about using cloud apps. Schumacher Group, a $250-million U.S. emergency medicine practice management firm, has created a web portal for its medical providers using a set of custom gadgets and a Google site. The company manages 2,500 physicians who care for 2.5 million patients each year in over 150 emergency rooms across 20 states.

Cast Iron for Google Apps helps enable the extraction and secure exchange of data from Schumacher Group’s MS SQL Server data warehouse to Google Enterprise Gadgets in real-time. Providers and doctors in the Schumacher network now have more secure visibility into emergency room data from anyplace, anytime.

In other Google Apps news, the long-awaited Java support for App Engine has been announced, and the first 10,000 developers to sign up will be given a first look and a chance to comment.

With the new support, developers can build web applications using standard Java technologies and run them on Google’s scalable infrastructure. The Java environment provides a Java 6 JVM, a Java Servlets interface, and support for standard interfaces to the App Engine scalable datastore and services, such as JDO, JPA, JavaMail, and JCache.

Also included is a secure sandbox, which will allow developers to run code safely on Google servers, while being flexible enough to allow them to break abstractions at will. More information is available at http://code.google.com/appengine/docs/java/overview.html.

These two developments continue the march toward enterprise-ready cloud activities. Can we still really call cloud just a fad or hype?

Microsoft’s Chief Security Officer Bret Arsenault talks shop with Justin James. Hear what he says developers need to do better to make their applications more secure.

—————————————————————————————————————

A simple fact of life in the IT industry is that, even if you do not use Microsoft products, how secure the company’s products are will most likely end up impacting your work one way or the other.

A few years ago, Microsoft began releasing its Security Intelligence Report (SIR) in order to provide an accurate assessment of the latest threats to its products. Each report covers a six-month period. In early December 2008, I had the chance to speak with Bret Arsenault, Microsoft’s Chief Security Officer, about the SIR: Volume 5 (January 2008 - June 2008).

I find this issue of the SIR interesting for two reasons. First, for a full year’s worth of reporting periods, the number of reported High vulnerabilities has decreased. The second data point that interests me is the fact that more than 90% of HTML-borne threats affecting Windows Vista actually target third-party products — not Microsoft products. Bret said that this shift makes a lot of sense, and I tend to agree with him. Windows Vista’s security is not perfect, but it is now hardened to the point that the OS is no longer the lowest hanging fruit on the tree. In addition, as he pointed out, the data that the bad guys really want tends to be locked up inside the application now and not the OS.

Bret and I talked in-depth about what developers need to do better to make their applications more secure. He said the security holes developers are seeing are the same ones that we have been seeing for years: buffer overruns, data hardcoded into the applications, and many other bad practices.

At a technical level, applications are still not modular enough; in addition, many applications do not perform automatic updates. I asked Bret about the possibility of allowing third-party developers to participate in the Microsoft Update program, and he said it is not currently being discussed as an option.

What developers need now are the same remedies that have been recommended for quite some time. It is a matter of educating developers and helping them to become more rigorous in their practices. He said that developers need to be retrained and suggested that they should all learn about the SDL process and security, preferably as part of the training program for new developers (in other words, baked into a Computer Science or IS/IT degree program). He and I agree that it takes weeks, if not months, to give developers a good background in secure development techniques and that a couple of lunch ‘n learn training sessions or a few hours with a consultant is not sufficient.

Another large part of the problem is that developers are extremely pressed for time. They often learn new things in the trenches and, as a result, do not realize the security implications of the way they are writing code. On that note, he pointed me to Microsoft’s new site for providing security information to developers: HelloSecureWorld. He also mentioned that users are still on the hook too; there is nothing any developer can do in the face of a user who clicks “Yes” to everything. In addition, he reminded me about the Microsoft Security Assessment Tool (MSAT) and the User Awareness and Education Toolkit, which systems administrators can use to evaluate their security situation and teach users about safe computing.

I know the situation that Microsoft faces is pretty challenging. The company has so many conflicting requirements, such as maintaining backwards compatibility while making the security tighter. At the same time, it is good to see Microsoft taking the situation seriously and finally seeing some positive results — even if it has taken so long to get some relief.

Thanks again to Bret for speaking with me. I really enjoyed our conversation.

Also, be sure to read Chad Perrin’s post about the 25 most dangerous programming errors, which is a list that has been compiled by security experts from all over the world.

J.Ja

Disclosure of Justin’s industry affiliations: Justin James has a working arrangement with Microsoft to write an article for MSDN Magazine. He also has a contract with Spiceworks to write product buying guides.

—————————————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

CAPTCHA is used to discern humans from computers to make sure someone (and not automated software or a bot) is really using the Web application. Here are implementations for use within your applications.

—————————————————————————————————————

Differentiating between a human user and a computer is a common task for Web applications. The need for such differentiation is due to spam and automated software or bots. One approach to testing for a human user is CAPTCHA, which makes a user type what they see in an image to use some functionality in a Web application.

What is a CAPTCHA?

CAPTCHA is an acronym for the rather lengthy phrase “Completely Automated Public Turing test to tell Computers and Humans Apart.” A CAPTCHA is a program that generates an image of letters and numbers that can be passed by most humans but not current computer systems. The user types the characters into a corresponding text box to pass the test. It provides simple yet practical security for various areas of a Web application.

Why use CAPTCHA?

The main goal of CAPTCHA is preventing automated software or bots from performing certain actions on a site. Sure, the automated code may access the site, but you don’t want it posting comments (spam), creating user accounts, or placing orders. There are a variety of situations targeted by CAPTCHA, which include the following:

• Site registration: A site can limit access to its registration system or page by using CAPTCHA as a gate to accessing it.
• Comments: Sites that allow comments often have generated content that is obviously not entered by a user. For instance, sites such as Blogger use CAPTCHA to control access to posting comments.
• Polls: CAPTCHA can help maintain the integrity of a poll by letting only humans participate.
• Passwords: A common way to attack a site is via a dictionary attack where brunt force is applied to a password field in an attempt to guess it. CAPTCHA can be used to control access to the password field, thus leaving bots in the cold.

Availability

CAPTCHA has been around for some time, so there are various implementations for use within your applications.

• reCAPTCHA: This ingenious approach to implementing CAPTCHA has users proofread text that optical character recognition (OCR) cannot recognize. It taps into the many hours spent typing in these words.
• BotDetect: A commercial solution for implementing CAPTCHA in ASP/ASP.NET applications.
• Authen-Captcha: Freely implement CAPTCHA in your Perl code.
• Asirra (Animal Species Image Recognition for Restricting Access): Read Justin James’ description of this CAPTCHA with a heart.

If you want to write your own code for using CAPTCHA in an application, the CAPTCHA project site provides a set of guidelines, which instructs you on how to make it accessible and secure the image and script. Here is a good example using ASP.NET.

Accessibility

A main drawback and an initial complaint regarding CAPTCHA is the inaccessibility of such images to users with visual impairments. Some systems gain accessibility by offering a spoken version of the image text via an audio file. When using a technology like CAPTCHA, functionality to recognize users with disabilities as human is necessary. The W3C offers a great paper on the issues of accessibility in a technology like CAPTCHA.

Not bulletproof

CAPTCHA provides a security solution based on artificial intelligence, but it is not a perfect solution. It offers an easy way to thwart most attacks, but a determined programmer may be able to develop code to break through such a hurdle to gain access to site features. For instance, a recent ZDNet story describes how spammers attacked Microsoft’s CAPTCHA — again.

Programmers are persistent, so OCR software may be used to identify the text in an image and pass through the CAPTCHA gate. To counter such moves, new approaches to CAPTCHA are being developed, which include distorting images in a way that makes them unreadable by OCR software. It is a never-ending battle that goes back and forth because spammers are determined to circumvent the system.

Another way around a security mechanism like CAPTCHA is via social engineering. There have been many reports of sites offering free porn to users who key in the solution to a CAPTCHA, which is then used elsewhere to access a site. This is one example of employing humans to crack the code.

Developers continue to push technology to thwart attacks; one example is BaffleText, which offers an improved CAPTCHA.

Conclusion

A Web application is a funny beast — you want users to visit and use the site, but you only want a certain type of user. For one thing, automated code or bots are usually not welcome — especially with certain areas of a site like collection information. This is where a security technology like CAPTCHA is used to discern humans from computers to make sure someone is really using the application.

Have you used the CAPTCHA technology in your applications? If so, did you create your own solution or use a free or commercial offering? Has using the technology been successful in keeping unwanted users away?

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.

—————————————————————————————————————-

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

Beginning with ASP.NET 2.0, the Membership API was added to simplify adding security to a Web application. Tony Patton explains out how to use the Membership API with a SQL Server backend.

——————————————————————————————————————- 

Most Web applications need to be secure because the apps allow users to sign up and log in and out of the site. Web application security is used to control access to all or part of a site.

Beginning with ASP.NET 2.0, the Membership API was added to simplify adding such security to a Web application. Find out how to use the Membership API with a SQL Server backend.

Essentials

Prior to version 2.0, .NET allowed developers to implement site security by providing a way to use Windows authentication, as well as a forms-based model. An issue with these approaches is the amount of development work that’s necessary to get them working.

In ASP.NET 2.0, the Membership API has been added; it takes over where the forms-based approach ends. The Membership API also allows you to create, delete, and edit user properties. It includes two standard Membership providers that allow you to integrate with Active Directory or utilize a SQL Server backend. You may develop a custom provider to use with the Membership API as well.

Programming

The Membership API is available with the Membership class in the System.Web.Security namespace. It exposes the following methods for working with site users:

• CreateUser: Allows you to create a new user.
• DeleteUser: Allows you to delete a user.
• FindUserByEmail: Allows you to find users with a particular e-mail address.
• FindUsersByName: Allows you to find users with a particular username.
• GeneratePassword: Allows you to generate a random password.
• GetAllUsers: Returns all users.
• GetNumberOfUsersOnline: Returns all users currently on the site.
• GetUser: Allows you to find a user by username.
• GetUserNameByEmail: Allows you to find a user by e-mail address.
• UpdateUser: Allows you to update a user.
• ValidateUser: Allows you to validate a user and password. ValidateUser is used to log a user onto the site.

These methods offer everything necessary to provide basic site security.

Using SQL Server as the backend data store

SQL Server is the default Membership provider; however, it does require setup to make it work. The.NET Framework includes a command-line tool (aspnet_regsql.exe) for adding the necessary database objects. The tool is available in this default directory:

C:<windows dir>Microsoft.NETFramework<version>aspnet_regsql.exe

When this tool runs without command-line parameters, a wizard guides you through setup. Basically, you choose the database server and the database to use. Then, a number of tables, views, and stored procedures are added to the database; these are used by the Membership API.

With the database set up, you may use it in your code as the data provider for membership services. The database connection string and the membership settings are configured in the application’s web.config file.

The database connection string is defined in the connectionStrings element. The following example connects to an instance of SQL Server 2005 using SQL Server security:

<connectionStrings>
<add name="Test" connectionString="Data Source=TestServer;User ID=Chester;Password=Tester;Initial Catalog=MembershipTest;"/>
</connectionStrings>

Other sections are added to enable the Membership API. First, the authentication element (which is contained in the system.web element) is set to Forms. Next, the membership element is added (under system.web). It contains the providers element, which is mapped to the database connection string in my example — it uses the name assigned to the connection string.

<authentication mode="Forms" />
<membership defaultProvider="TestProvider">
<providers>
<add name="TestProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="Test" />
</providers>
</membership>

(To conserve space, this snippet only contains a portion of the complete web.config.)

Now with the backend connections set up, it can be used in an application.

Combining with Login controls

A great aspect of the Membership API is that the Login controls available within Visual Studio 2005/2008 are designed to work with it. You can easily drop one of the controls on an ASP.NET Web Form and tie it to a membership provider defined in the web.config file. These login controls include the following:

• Login: Provides username and password textboxes for user logon. An error message is displayed if the logon fails. The ValidateUser method is used to check the user against the database.
• LoginView: Retrieves a user’s login status. LoginView uses this status to display content (defined in control) regardless of whether a user is logged in.
• PasswordRecovery: Provides the functionality to retrieve or reset a user’s password based on their username.
• LoginStatus: Detects the user’s authentication status and displays the appropriate login/logout option.
• LoginName: Displays the currently authenticated user’s name on the page. No value is displayed if the user is not logged on.
• CreateUserWizard: Provides an interface for registering a user on the site. By default, it collects username, password, e-mail address, and validation question. It can be extended to include more fields and steps within the process.
• ChangePassword: Allows the user to change their current password.

As an example, the following code snippet shows how the CreateUserWizard control may be used on an ASP.NET Web Form. The MembershipProvider attribute is set to the value assigned to the provider in our web.config file.

The WizardSteps allows you to customize the steps in the registration process — that is accomplished in the following example with the message that is displayed upon successful registration (asp:CompleteWizardStep element). You may define additional steps as well.

<asp:CreateUserWizard
ID="CreateUserWizard1"
runat="server"
MembershipProvider="TestProvider">
<WizardSteps>
<asp:CreateUserWizardStep runat="server">
</asp:CreateUserWizardStep>
<asp:CompleteWizardStep runat="server">
</asp:CompleteWizardStep>
</WizardSteps>
</asp:CreateUserWizard>

All of the controls are easily tied to a membership provider, so it’s simple to use the controls in a Web application without any code. Another good example is the LoginStatus control, which allows you to display custom messages according to a user’s status.

<asp:LoginStatus
ID="LoginStatus1" runat="server"
LogoutText="Not logged in"
LoginText="Not Logged in" />

Easily secure your application

One of the goals with new releases of the .NET Framework is to simplify common programming chores. Providing site security via registration and logon is a common aspect of most Web applications. The Membership API provides methods for providing this functionality, and these methods are tied to the Login controls available for use on ASP.NET Web Forms.

What ASP.NET 2.0 features simplify your projects? What features would you like to see added to ASP.NET? Share your thoughts with the Web Developer community.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.

—————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

Microsoft has put its first-hand knowledge of dealing with buggy software to very good use by releasing the Trustworthy Computing Security Development Lifecycle (SDL) to the general public. The document is based on the same process used internally at Microsoft.

The Microsoft SDL documents a process for developing secure software that can withstand attacks. It works in conjunction with the usual software development cycle, so security is a consideration throughout the development process.

Principles

If you adhere to the following principles in the Microsoft SDL, you should be on your way to reducing and mitigating security holes.

• Mandatory education: This involves the education on the many facets of building secure applications. In addition, you must continue to stay abreast of industry developments regarding security. The net effect is fewer security bugs up front since the code is developed with security in mind.
• Design decisions based on threat models: The various ways an application may be attacked are considered during application design, thus thwarting such threats. The net effect is fewer security design bugs up front.
• Do not use known insecure APIs: Only secure APIs are used in the building of an application, thus avoiding introducing bugs via the APIs. The net effect is fewer security bugs up front.
• Static analysis tools: The use of static analysis code scanning tools allows you to discover issues that may be missed during design and development. The net effect is fewer security bugs in the code.
• Avoid known weak crypto primitives and key lengths: You should only use robust crypto elements to avoid possible security breaches once an application is deployed.
• Tool requirements: The Microsoft SDL includes an appendix that defines requirements for tools used in the development of applications. This includes compiler and linker requirements and provides extra defenses, in case you miss a bug.
• Employ fuzz testing: Fuzz testing is a technique that provides random data to program inputs. If the program fails, the defects are noted. This allows you to discover bugs that may be introduced during development before a product ships.
• Code review: Inter- and intra-team code review is used to ensure solid code is created that addresses all security issues.
• Metrics: Metrics are used by every product team to measure security flaws. These measurements are used to manage the process.

The application of these principles is performed in the many phases that comprise the Microsoft SDL.

Phases

The Microsoft SDL is divided into phases that may be mapped onto the software development lifecycle. The Microsoft SDL phases include the following:

• Requirements: Security considerations are a key component of the initial design of an application. Developer education ensures the necessary knowledge in this phase. Microsoft has a central security team, with members of this team assigned to projects to advise on security issues.
• Design: The security architecture is created in this phase. Also, possible attacks and threats are documented to ensure they are considered during development.
• Implementation: The application is coded and tested in this phase, while security flaws are discovered and removed.
• Verification: The software is delivered to users as a beta version. Usage during this phase may yield more security flaws, which will be addressed before final shipment.
• Release: The software is released to the user community. Before release, a final security review is performed to ensure it is ready for release.
• Support and Servicing: After it is released, security vulnerabilities may still arise. Any bugs must be addressed and recognized in timely manner.

These phases offer a blueprint for developing secure applications, but you may choose to adapt one or all phases of the Microsoft SDL to fit your environment.

Guidance

A key point with the Microsoft SDL is that it is a guide. That is, it spells out how security can be an integral aspect of software development, but it is language and platform agnostic, so you can take it and apply it to any software development environment and team. However, the appendices in the Microsoft SDL document do provide information on tools that may be used, and these tools focus on the Windows platform.

A proactive approach

The use of the Microsoft SDL during application development may seem like a no-brainer, but developers often avoid such considerations when they’re concentrating on meeting project requirements.

With the release of the Microsoft SDL, Microsoft provides a process that coincides with the software development life cycle. This makes it easy to apply to existing processes to deliver secure applications.

Download the Microsoft SDL document and make it a part of your development process today. For more in-depth information, read The Software Development Lifecycle by Michael Howard and Steve Lipner. I also recommend taking a look at the MSDN Security Development Lifecycle blog.

Do you plan to use the Microsoft SDL?

Is security a major component in your approach to software development? Will you utilize the Microsoft SDL? Share your thoughts with the Web Development community.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.

—————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. Last week’s article focused on using ASP.NET command-line tools for encrypting portions of configuration files, while this week’s article covers coding options. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections.

(more…)

Few things are more frustrating to programmers than running across a bug you can’t solve without access to source code you don’t have. Whether you’re patching in code from an online open-source library or you’re making calls to common operating system routines, you likely spend time each week crunching code that you didn’t write and for which you may not have the source.

It’s easy to reverse engineer Java class files because Java bytecode contains a lot of the same information as its original source code. In addition, Java programs have a good reputation as being “write once, run everywhere.” This flexibility has a number of potential advantages in a distributed environment. While not unique to the Java language, code decompilation has never been deployed so publicly or ubiquitously as it is among Java developers. The flip side of decompilation is obfuscation.

(more…)

A colleague recently approached me about the concept of an application domain within ASP.NET. It took a minute to jog my memory about this security feature in the .NET Framework. If you could use a refresher on application domains, here’s a quick overview of the concept.

(more…)

This blog entry is also available as a TechRepublic download.

In many Web-based applications, functionality is controlled and/or personalized by knowing who the logged-in user is. This varies from simply displaying a greeting to the creation of custom menus depending on the user’s login.

Additionally, many organizations make use of directories such as Microsoft’s Active Directory (AD) and Novell’s Netware Directory Services (NDS), which can be deployed in conjunction with an appropriate Web server, to provide user identification at the Web server level. In the context of user authentication, which is usually done via a login page in a Web-based application, the presence of a directory can be used as an alternative authentication method. This is referred to as Single Sign On (SSO). Let’s look at how to use NDS as our directory service in a Novell NetWare environment. To provide the link between our code and NDS, we are using Novell’s NWDir1 control.

(more…)