Follow this blog:: RSS; Email Alert

Software Engineer

Poll: Are you nervous about your applications' security?

July 5, 2011, 7:11 AM PDT

Takeaway: The recent actions of Anonymous and LulzSec have caused developer Justin James to take note. Let us know whether you think your apps could withstand a determined attack.

In the last couple of months, groups such as Anonymous and LulzSec have been tearing through the Internet, getting access to a large number of data storage areas that everyone assumed were highly secured. One of the goals of these groups is to raise awareness of the vulnerabilities, and I know that I certainly took note. I think that a lot of application developers and system administrators have gotten very complacent, and that sense of security is not warranted. How well do you think that the applications you write could withstand a determined attack?

Are you nervous about your applications' security?

J.Ja

Also read: How do you protect yourself from hacktivist groups?

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

About Justin James

Justin James is the Lead Architect for Conigent.

Is open source no longer a differentiator?

Parsing CSV by feeding BNF to Haskell's Parsec module

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

See All Comments

Staff Picks
Top Rated
Most Recent
My Contacts

No messages found

0 Votes

+ -

www.rokettuber.tk

hovarda05 Updated - 17th Jan 2012

thank you rokettube techrep the end

View in thread

0 Votes

+ -

Always

Dethpod 8th Jul 2011

@Charles Bundy
>>Therefore it's "hardness" with regards to security is built upon a foundation of sand in front of a vast ocean...

Well said.

Any forward facing app/site is beat/fuzzed to death. And even then I am skittish. I have been hacked before... a long time ago and it is one of the worst feelings you can get. You feel violated. It is the tantamount of digital rape.

View in thread

0 Votes

+ -

Great minds thinking alike mate

h8usernames 5th Jul 2011

I was going to mention the security question, the reason I didn't (as you have seen today Justin) is my comments and answers sometimes (ok most of the time) get very long, detailed and complex.

For password resets we use information we need to do the reset or information already on the account. For 1 app we developed we use an email method that generates a random value then the user is emailed a link - nothing special until you consider we also generate a session ID for the user and bind their IP address to the unique URL (that is in the format of a sub-domain) to try and create some assurance that it is most likely the same user changing the password that requested it. If 1 parameter is wrong we kill the process and require a new password reset request, should this fail 3 times the account is locked, the user is emailed and the account stays this way for 3 hours or until we are contacted. If we get 4 locks in 1 month to an account the account is then locked until we're contacted by the customer and are satisfied that we're dealing with the correct person.
With this, we do have a higher than normal rate of abandoned accounts on our free services but our customers generally appreciate the added effort, plus we also have a higher than normal upgrade rate to paid services making it worthwhile as a business.

As our business is only now becoming viable we're currently developing an SMS reset method also for paid customers to take advantage of.

View in thread

Once logged in, adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.

See all comments