Subscribe to this list via RSS Blog posts tagged in Security
Embrace the Future of Data Architecture: Make the Switch to ER/Studio Sometimes you need to face the inevitable: the tool selected years ago is not the one you need for the future. Have you been struggling with complicated modeling tasks or outdated tools? Are your data models getting too big to handle? We’ve heard from a lot of customers recently who have been frustrated with their old data modeling tools, for multiple reasons such as: Lack of functionality Lack of support Lack of a future roadmap Embarcadero is committed to enabling our users to adapt to...
My C++ CodeRage 8 "Secure DataSnap Development" links and source code During my recent CodeRage 8 "Secure DataSnap Development" session, I have promised to make the source code of both demos available for download. I have just uploaded them to Embarcadero CodeCentral! Demo 1: Secure C++Builder DataSnap "Hello World" server and mobile client This is a very simple demo that shows basic security in DataSnap, including secure communication with HTTPS protocol, encryption transport filters plus authentication and authorisation in code. Demo 2: Secure C++ Dat...

Posted by on in Blogs
Cloud Security, For Real This Time Cloud Security, For Real This Time: Homomorphic Encryption and the Future of Data Privacy. That's the title of my presentation at the next Central Ohio OWASP Quarterly Seminar, on 27 February at 1:00 p.m. Dan King, from Microsoft, will be talking about single sign-on for federated Dynamics CRM, very practical stuff which is in real world use today. I, on the other hand, will be talking about technologies which don't quite exist in fully practical forms today, but which I predict will change the ...
My "Secure DataSnap Development" CodeRage 8 session During my CodeRage 8 "Secure DataSnap Development" session I'm demonstrating different levels of security in DataSnap architecture. Communication Protocol: DataSnap supports three different communication protocols: TCP/IP, HTTP, HTTPS. Choosing the HTTPS protocol that is implemented using SSL (“Secure Sockets Layer”) adds encryption to the communication between client and server, making it a secure solution. Two other protocols – TCP/IP and HTTP – are inherently not safe and such a commun...

Posted by on in Blogs
YAML and Remote Code Execution YAML's security risks are in no way limited to Rails or Ruby. YAML documents should be treated as executable code and firewalled accordingly. Deserializing arbitrary types is user-controlled, arbitrary code execution. It's Not Just Ruby A few weeks ago, I had a need to parse Jasmine's jasmine.yml in some C# code. I spent some time looking at existing YAML parsers for .NET and ended up deciding that spending a couple of hours writing a lightweight, purpose-specific parser for jasmine.yml made m...

Posted by on in Blogs
Speaking at "Moving to Better Secure the Cloud" I'll be speaking at a Slashdot/Geeknet "virtual trade show" today. Moving to Better Secure the Cloud: Governance, Risk, and Compliance Management My presentation will be on the potential business impact on the web if an efficient and fully homomorphic encryption system is invented. I'll be speaking sometime in between 3:15 and 4:00 EST, for about 20 minutes. The target audience is CIOs. Sorry for the short notice, but this came together at the last minute!...

Posted by on in Blogs
Would You Buy a Used Framework from This Tool? I think the Web Platform Installer is a great tool, but I have to question the wisdom of its home page: If you click on these, you see... nothing. A description would be nice. ("Application Request Routing? What's that? EC-CUBE?") But that's not really the problem. The bigger problem is this: A "spotlighted installers" feature probably sounded great on the drawing board, but this tool is intended for public-facing web servers. It isn't the App Store; public-facing web frameworks should...

Posted by on in Blogs
Want more...Security As someone who travels a lot, I appreciate all of the work that security and safety teams do all over the world.  Some might complain about the long lines to get through security but I am very thankful for all that is done to protect me. We live in an online world where we all must keep track of our personal information security.  There are too many stories about stolen passwords, credit card account numbers, network intrusions, and social security numbers. As developers we have many tools we...
An Excuse Not to Roll Your Own Authentication Scheme The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words: has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme. I will briefly provide an excuse. "Simple BCrypt-based passwords" is a reasonable feature, but shouldn't be mistaken for end-to-end authentication, or even a substantial subset of that problem. Web site authentication in the real world is a far harder...
Delphi Labs: DataSnap XE Authentication and Authorization for Dummies:-) "Delphi Labs" is proud to announce the immediate availability of the new episode in the "DataSnap XE" serie: "Authentication and Authorization"! This work was scheduled for last week, but I hope to be back on track and just starting to work on the this week's episode on DataSnap filters. The most challenging thing this week was to invent a possibly the most simple scenario of role-based security for a DataSnap server. I have end up with just implementing a basic authentication rule, that only...

Check out more tips and tricks in this development video: