Professional Documents
Culture Documents
Security can not be considered an add-on or afterthought Security must be integrated into the design Security should use an algorithm based on a denied unless specifically allowed concept
Depending on security being applied outside of the application is insufficient Any browser based system with a URL is public Data in a URL is not secured Hidden data may still be exposed with a limited search
Security should be applied to anything with value Security should be viewed from a thiefs perspective Security is limited to the weakest link No security system is impregnable
Security must be considered in all areas of a data stream SSL and Web Security Physical security of hardware must be considered
SQL Injection
What is it?
Malicious method to replace values sent to a SQL statement with values that cause another action.
SQL Injection
Example
A user name is sent to a page as userName=joe The page has a statement like
Instead of a specific record, it gives all records A test for the number of records returned would cause the injection to fail
Injection
Example
An injection might send a value like
userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't
Instead of a specific record, it drops the user table entirely and shows all values from the data table A test for the proper format of userName would have prevented the injection.
SQL Injection
Prevention
Use arguments to pass values
UPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE IdInsurance = :old.IdInsurance
The method to set arguments will test for proper value type and format
The actual SQL statement is fixed to use only the specified arguments
Test the value type and format of any value sent to a statement
If the value should just be a text string, reject any text containing any specific unexpected characters
Alpha
Security
can be applied to a single file in the web project, any folder, or by file extension
Security can be applied to component elements and actions Security is integrated into the server technology The Alpha Five Web Security is highly configurable
Security
Tables are published to the same folder as the web pages The tables are not placed in the same location as other data tables The server prevents direct access to the tables The data in the tables on the server is not the same as the data shown in the desktop Users and Groups dialog
All login processes and authorization processes are integrated into the system code and never exposed to the user
Configuring the Web Security Entering initial values for users and groups Setting permissions