Skip to main content

Home/ SoftwareEngineering/ Group items tagged security

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Enterprise Architect - UML Design Tools and UML CASE tools for software development - 0 views

www.sparxsystems.com/...index.html

enterprise architect uml design tools

shared by kuni katsuya on 16 May 12 - Cached
  • Code Engineering Database Engineering Debug & Visualize Applications MDG Technologies (Create & Use)* Model Driven Architecture (MDA) Project Discussion Forum Replicate .EAP Projects Reverse Engineer Binaries (Java, .NET) Shared Models WSDL Engineering XML Schema (XSD) Engineering
  • Audit Model Changes Baseline Diff/Merge DBMS Repository** Floating Edition Available Lazy Load Scripting with JScript, VBScript and Javascript Security (Role-based) WAN Optimizer
  • BPEL Generation from BPMN diagrams Business Rules Composer Executable Code Generation from Behavioral Models Math Support built into Script Engines
  • ...5 more annotations...
  • Allocated Work Execution Analyzer Menu Test Points Win 32 User Interface Designs Business Process Simulation ***
  • Gap Analysis Model Mail Project Calendar Task Allocations TOGAF Gap Analysis
  • BPEL 2.0 Generation BPMN Simulation SysML 1.2
  • Eclipse Integration
  • Eclipse Link
  • kuni katsuya on 16 May 12
     
    Code Engineering Database Engineering Debug & Visualize Applications MDG Technologies (Create & Use)*
kuni katsuya

java - Getting confused with Apache Shiro and Custom Authorizing Realms - Stack Overflow - 0 views

stackoverflow.com/...-and-custom-authorizing-realms

security ApacheShiro realm RealmSecurityManager SecurityManager authorization AuthorizationInfo

shared by kuni katsuya on 22 Sep 12 - No Cached
  • getRealms()
  • RealmSecurityManager
  • authorization is effectively disabled due to the default doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) implementation returning null
kuni katsuya

Logging Cheat Sheet - OWASP - 0 views

www.owasp.org/...Logging_Cheat_Sheet

OWASP logging BestPractices CheatSheet

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Legal and other opt-ins
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      terms & conditions acceptance, license transfers, etc
  • Data changes
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      all changes to domain objects
  • Event attributes
  • ...35 more annotations...
  • Log date and time
  • Event date and time
  • Application identifier
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. service type
  • Application address
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. service instance
  • User identity
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      ie. subject
  • Type of event
  • Severity of event
  • Description
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. event message text
  • Action
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. action performed on managed resource (eg. 'update' action on resource 'hotel')
  • original intended purpose of the request
  • Object
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      eg. managed resource being accessed
  • affected component
  • Result status
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      boolean was_successful
  • Reason
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      include in event message text
  • Extended details
  • Data to exclude
  • Access tokens
  • Session identification values
  • Sensitive personal data
  • passwords
  • Database connection strings
  • Encryption keys
  • payment
  • Information a user has opted out of collection
  • Synchronize time across all servers and devices
  • Input validation failures
  • Which events to log
  • proportional to the information security risks
  • Always log:
  • Authentication successes and failures
  • Authorization failures
  • Session management failures
  • Application errors and system events
  • Application and related systems start-ups and shut-downs
  • Use of higher-risk functionality
kuni katsuya

SQL Injection - OWASP - 0 views

www.owasp.org/...SQL_injection

security SqlInjection background overview

shared by kuni katsuya on 21 Sep 12 - No Cached
  • SQL Injection
  • "injection" of a SQL query via the input data from the client to the application
  • exploit can
  • ...18 more annotations...
  • read sensitive data
  • modify database data
  • execute administration operations
  • SQL injection errors occur when:
  • Data enters a program from an
  • untrusted source
  • The data used to
  • dynamically construct a SQL query
  • consequences are:
  • Confidentiality:
  • sensitive data
  • Authentication
  • user names and passwords
  • Authorization
  • change this information
  • Integrity
  • read sensitive information
  • changes or even delete this information
kuni katsuya

Preventing SQL Injection in Java - OWASP - 0 views

www.owasp.org/...eventing_SQL_Injection_in_Java

security SqlInjection prevention Java DefensiveCoding

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Preventing SQL Injection in Java
  • inject (or execute) SQL commands within an application
  • Defense Strategy
  • ...19 more annotations...
  • To prevent SQL injection:
  • All queries should be
  • parametrized
  • All dynamic data
  • should be
  • explicitly bound to parametrized queries
  • String concatenation
  • should never be used
  • to create dynamic SQL
  • OWASP SQL Injection Prevention Cheat Sheet.
  • Parameterized Queries
  • Prepared Statements
  • automatically be escaped by the JDBC driver
  • userId = ?
  • PreparedStatement
  • setString
  • Dynamic Queries via String Concatenation
  • never construct SQL statements using string concatenation of unchecked input values
  • dynamic queries via the java.sql.Statement class leads to SQL Injection
kuni katsuya

Guide to SQL Injection - OWASP - 0 views

www.owasp.org/...Guide_to_SQL_Injection

security SqlInjection background overview

shared by kuni katsuya on 21 Sep 12 - No Cached
  • Least privilege connections
  • Always use accounts with the
  • minimum privilege necessary
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      yet another reason why shared db logins (eg. etl_update) are a *BAD IDEA* ie. a set of apps using the same db login are effectively granted the 'highest common denominator' of db privileges, so have more access than they should (eg. update/delete privilege on tables unrelated to app)
  • ...9 more annotations...
  • for the application
  • Parameterized Queries with Bound Parameters
  • keep the
  • query
  • d data
  • separate through the use of placeholders known as "bound" parameters
  • how to Review Code for SQL Injection Vulnerabilities.
  • Guide to SQL Injection
  • "injection" of a SQL query via the input data from the client to the application
  • kuni katsuya on 21 Sep 12
     
    "Least privilege connections"
kuni katsuya

Web | Apache Shiro - 0 views

shiro.apache.org/web.html

security ApacheShiro SessionManagement session

shared by kuni katsuya on 19 Sep 12 - No Cached
  • Session Management
  • Servlet Container Sessions
  • kuni katsuya on 19 Sep 12
     
    "t"
« First ‹ Previous 141 - 148 of 148
Showing 20 items per page