Skip to main content

Posts

Showing posts from October, 2011

Dealing with Non-technical users

In Security profession, you always go with your finding to the people who has technical capabilities so that they may understand, what you want to explain to them. But what in a situation if you need to deal with ordinary, non technical users? They don't understand your security jargon, they only care about their business. I have been dealing with these sort people from long back! And when they are sitting in remote location, it's very tough! The best way is to send them mails explaining the issue, its impact and how to fix them. Sometimes, they will co-operate with you some times, you are disappointed. For example, if you need to deal with users running any Insecure Services (suppose FTP) on their machines, the following ways seem working: 1. First send a communication to them about the issue, eg, what the service is all about, how it could be exploited if not closed or secured. 2. If they respond, well, tell them to stop FTP from Services.msc. 3. Sometimes, they are not sure

Securing Connection Strings

Today, again I came across the same scenario about which my colleague Sam had asked me once. He asked me about best practices for securing the connection strings. Well, for securing the Database connection string file. The general approach will be-irrespective of technology- its’ best practice to move the credentials out of source-code into a configuration file. It needs to be properly protected, using strong ACLs and strong encryption with properly protected keys. I shall give you an example of .NET which I am aware of and you can suggest developers to use the similar thing for Oracle and jsp pages. Again there are different approaches for different technologies- for ASP.Net you can either use Windows authentication instead of using username/password, database (connection string) name in the source code. But that’s not possible, if you have got to mention the username/password, database name, put them in a separate configuration file such as app.config or web.config and encrypt them