Want more...Security

Posted by DavidI on Friday, 15 July 2011 in Blogs

As someone who travels a lot, I appreciate all of the work that security and safety teams do all over the world. Some might complain about the long lines to get through security but I am very thankful for all that is done to protect me. We live in an online world where we all must keep track of our personal information security. There are too many stories about stolen passwords, credit card account numbers, network intrusions, and social security numbers.

As developers we have many tools we can use to help secure the systems we build. In Embarcadero RAD Studio XE DataSnap multi-tier technology supports HTTPS protocol and encryption filters for JSON data packets. Daniele Teti has a blog post that lists a DataSnap Filters Compendium. In Embarcadero InterBase from InterBase 2009 and later provides database security with encrypted databases and columns, Over-The-Wire encryption, AES and DES encryption, and encryption of backups. In Project Indy, there is full support for TCP/IP and HTTP protocols, applications, and transports.

We can encrypt the data on our hard drives, we can secure our networks, we can turn on anti-phishing options in our browsers, we can use software anti-virus and security monitoring software, we can encrypt memory, and we can secure our passwords in wallets and lockers. But, no matter how much we do to protect our systems, information, and software there is always more to be done. We are constantly reminded to design and build in security to everything we do in our systems.

Here are some links to software security advice and solutions:

Introduction to Software Security from the U.S. Department of Homeland Security

Cyber Security Engineering - CERT/SEI/Carnegie Mellon University

Addison Wesley Software Security Series of books

Amazon list of books about Software Security

Fortify Software - Software Security Basics

Microsoft Security Response Center

Protecting Personal Information by the US Federal Trade Commission

Software Security Engineering: A guide for Project Managers

Oracle Software Security Assurance resources

Mitre Corp's 2011 Top 25 most dangerous software errors

Why do SQL Injection attacks continue to succeed? - SC Magazine

Mitre Corp and U.S. Department of Homeland Security: Common Weakness Risk Analysis Framework (CWRAF)

Mitre Corp and US Department of Homeland Security: Common Weakness Scoring System (CWSS)

OnGuardOnline.gov

Build Security In - from the US Deparment of Homeland Security resource site

In life and in software, an ounce of prevention is worth a ton of cure. When you are at the computer, when you are thinking, when you are having a beverage, when you are walking on the beach, think about software security in your designs, databases, and code.

About DavidI

Gold User, Rank: 1, Points: 2466

David Intersimone (known to many as David I.) is a passionate and innovative software industry veteran-often referred to as a developer icon-who extols and educates the world on Embarcadero developer tools. He shares his visions as an active member of the industry speaking circuit and is tapped as an expert source by the media. He is a long-standing champion of architects, developers and database professionals and works to ensure that their needs are folded into Embarcadero's strategic product plans. David holds a bachelor's degree in computer science from California Polytechnic State University at San Luis Obispo, California.

Comments

Sebastian Gingter Friday, 15 July 2011

As for travelling I have a strong feeling that the security madness oversteps any borders. I am not allowed to carry anything with me that could hurt people, but that I possibly could kill persons with my bare hands because of my former martial arts training doesn't matter at all.

As for software security, you are completely right. But it's not that we don't have enough of it. We have it, but like all software pieces its buggy, done in the wrong place or just not strong enough.

The problem with software security is that the whole system, like a chain, completely breaks with its weakest part. That is why we read so much about successful cracker attacks. Someone thought he implemented software security, but perhaps just wasn't competent enough to do it right.

Instead of posting some links to information material it would be better to post links to trained IT security specialists who really can do the job. If someone reads through the links, thinks he can do it and implements it wrong, thats a big problem. He thinks his system is more secure than before and therefore has to invest less in even more security. But in reality he weakened the system and doesn't know about it. Thats doubly worse, because he feels safe.

Security is a critical thing in IT systems and has also to do with prevention of physical access and the likes. It should be done from end to end ONLY by people that are trained to be specialists in security, because one small error somewhere in the security system (i.e. simply not enforcing ssl on a web page but leaving that optional) can render all other security measures totally useless, as perfect as they could be on their own.
LDS Saturday, 16 July 2011

The sooner you acknowledge that your implementation of filters is totally useless to implement sond security the sooner you will maybe decide to design Datasnap from the groud up with security in mind. But like the worst car-seller you still try to sell a Trabant as it was a Ferrari.
The lack of understanding of security at Embarcadero is very worrying, and your customers risk to pay it dearly one day when they discover that bad designed security is equal to no security at all, and their customers data will be easily pilfered by hackers tyhat knows about security much more than people working on the VCL... as lonas Delphi applications are still used in environments taking hackers attention - oh well, one was, the application that should have enforced French HADOPI law, and that was pierced easily given its dreadful design: http://www.wired.com/beyond_the_beyond/2011/05/hadopi-gets-hacked/
David Intersimone Saturday, 16 July 2011

LDS- the combination of DataSnap XE's authentication, support for https, and encryption filters (there are several out there - we just ship an example not an AES one due to export controls) and you can also use Windows CryptoSecurity API and Certificate Stores interfaces in your own filter code, and finally using lower level SSL (openSSL is free) should give you what you need for DataSnap. If you have specific information about what security problems you are having with DataSnap, I will be happy to pass any specifics on to R&D.

VCL is a separate part of a Delphi application and not related to DataSnap so I am not sure of the context there.

As to the URL you passed along, I can't find a reference to Delphi and/or DataSnap specifically. A blog post at http://www.sandon.it/?q=node/57 is related to DataSnap 2010 and not DataSnap XP which now has https support and role based authentication that constrains method access. DataSnap also has lightweight and heavyweight asynchronous call-backs where you can completely control the data flow between client and server and back.

There are several references to MS CryptoAPI use and Delphi - one is at http://www.koders.com/delphi/fid8D16B98EE4CB959F69F88877FB1D78A25D4EBAAD.aspx?s=pos. Another is at http://delphi.xcjc.net/viewthread.php?tid=46162

Good feedback and keep it coming.
KenR Saturday, 16 July 2011

This just sounds like you had nothing else worthwhile to post
David Intersimone Saturday, 16 July 2011

KenR - one word per day for 31+ days. Got any one word(s) you want me to use?
David Intersimone Saturday, 16 July 2011

Several readers have sent me emails and posted comments about this summertime (in the Northern Hemisphere) series of blog posts. Here is a further response to KenR and others.

In July, I am specifically writing a blog post each day (it may spill over to August) during the summer focusing on a specific word. I am tying together things from our world, history, technology, and development. In the spring, I sent emails to a wide range of contacts (developers, students, parents, friends, family, industry partners, people outside of software, etc) asking them what they wanted more of, dreamed more of, would like to have more of. Not context or focus. I was interested in what replies I would get. Some people took world views, holistic views, professional views, personal views. Some asked me what area they should reply to. I left it open on purpose as an experiment to see how people would reply and to get beyond just the programming world.

In my blog posts, I am expressing their results, their wishes, my dreams, I hope some perspectives, and web links to resources and ideas for each of the words. Sometimes I can make the leap across industries and worlds. Sometimes I can make a good tie in to development.

“This just sounds like you had nothing else worthwhile to post ”

For the one you commented on, “Want more…Security”, I could have added many more dimensions to the blog – how about financial security, job security, personal security, the security of knowing your goals, and more.

The great thing about “Want more… xxxxxx” – one word – is that it can take you many places. If I had chosen to use a phrase, for example, that might have closed in the discussion. As I mentioned, this is an experiment. It is also leading up to something wonderful. But, everyone will just have to be a little patient, until we all get there. Or not
LDS Saturday, 16 July 2011

You fail to understand that Datasnap has no way to exchange securely a session key (but relying on HTTP and Indy SSL - and then you are forced to use any buggy Indy release that came with Delphi because you can't upgrade it, moreover HTTP is a one way protocol). You can use the most advanced algorithm you like, but without a way to exchange the keys properly it is useless. That demonstrates that Embarcadero can't understand basic security needs. I still have to see a code sample that demonstrate how Datasnap can setup a random encryption key, exchange it securely among connection endpoints, and maybe regenerate it during the connection. I would also suggest you to show a sample of Datasnap authenticating endpoints using Kerberos - maybe you've heard about it sometimes - that's how Windows domains (and not only) authenticate, and so on. Otherwise you just have a Trabant. You can keep on painting it red and putting a yellow sticker with a black horse on it, but it stays a Trabant.
David Intersimone Saturday, 16 July 2011

LDS - I will pass along your suggestion for a Kerberos endpoint authentication example. Seems like anyone could also use Microsoft CryptoAPI with DataSnap and then with a heavyweight callback channel established, could send encrypted data back and forth? I have no doubt that some developers (perhaps you?) could write custom DataSnap methods to accomplish this. BTW, I have never claimed to be a software security expert.

Some information articles about exchanging session keys securely:

http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.csfb500/sslo3.htm

http://my.safaribooksonline.com/book/programming/csharp/0735619301/cryptography/ch14lev1sec10

http://cs.nyu.edu/courses/fall04/G22.2950-001/lecture12.pdf

http://ubiwireless.com/edwinhe/TutorialMicrosoftCryptoAPI.pdf

Some Delphi specific encryption examples and information:

http://www.example-code.com/delphi/encryption.asp

http://www.example-code.com/delphihttp_kerberos.asp
Please login first in order for you to submit comments