Search Results

Search found 120608 results on 4825 pages for 'code access security'.

Page 320/4825 | < Previous Page | 316 317 318 319 320 321 322 323 324 325 326 327 | Next Page >

what are some good interview questions for a position that consists of reviewing code for security vulnerabilities?

- by John Smith

The position is an entry-level position that consists of reading C++ code and identifying lines of code that are vulnerable to buffer overflows, out-of-bounds reads, uncontrolled format strings, and a bunch of other CWE's. We don't expect the average candidate to be knowledgeable in the area of software security nor do we expect him or her to be an expert computer programmer; we just expect them to be able to read the code and correctly identify vulnerabilities. I guess I could ask them the typical interview questions: reverse a string, print a list of prime numbers, etc, but I'm not sure that their ability to write code under pressure (or lack thereof) tells me anything about their ability to read code. Should I instead focus on testing their knowledge of C++? Ask them if they understand what a pointer is and how bitwise operators work? My only concern about asking that kind of question is that I might unfairly weed out people who don't happen to have the knowledge but have the ability to acquire it. After all, it's not like they will be writing a single line of code, and it's not like we are looking only for people who already know C++, since we are willing to train the right candidate. (It is true that I could ask those questions only to those candidates who claim to know C++, but I'd like to give the same "test" to everyone.) Should I just focus on trying to get an idea of their level of intelligence? In other words, should I get them to talk and pay attention to the way they articulate their thoughts, and so on?

Read the article
Wildcards in jnlp template file

- by Andy

Since the last security changes in Java 7u40, it is required to sign a JNLP file. This can either be done by adding the final JNLP in JNLP-INF/APPLICATION.JNLP, or by providing a template JNLP in JNLP-INF/APPLICATION_TEMPLATE.JNLP in the signed main jar. The first way works well, but we would like to allow to pass a previously unknown number of runtime arguments to our application. Therefore, our APPLICATION_TEMPLATE.JNLP looks like this: <?xml version="1.0" encoding="UTF-8"?> <jnlp codebase="*"> <information> <title>...</title> <vendor>...</vendor> <description>...</description> <offline-allowed /> </information> <security> <all-permissions/> </security> <resources> <java version="1.7+" href="http://java.sun.com/products/autodl/j2se" /> <jar href="launcher/launcher.jar" main="true"/> <property name="jnlp...." value="*" /> <property name="jnlp..." value="*" /> </resources> <application-desc main-class="..."> * </application-desc> </jnlp> The problem is the * inside of the application-desc tag. It is possible to wildcard a fixed number of arguments using multiple argument tags (see code below), but then it is not possible to provide more or less arguments to the application (Java Webstart will no start with an empty argument tag). <application-desc main-class="..."> <argument>*</argument> <argument>*</argument> <argument>*</argument> </application-desc> Does someone can confirm this problem and/or has a solution for passing a previously undefined number of runtime arguments to the Java application? Thanks alot!

Read the article
wss4j: - Cannot find key for alias: monit

- by feiroox

Hi I'm using axis1.4 and wss4j. When I define in client-config.wsdd for WSDoAllSender and WSDoAllReceiver different signaturePropFiles where I have different key stores defined with different certificates, I'm able to have different certificates for sending and receiving. But when I use the same signaturePropFiles' with the same keystore. I get this message when I try to send a message: org.apache.ws.security.components.crypto.CryptoBase -- Cannot find key for alias: [monit] in keystore of type [jks] from provider [SUN version 1.5] with size [2] and aliases: {other, monit} - Error during Signature: ; nested exception is: org.apache.ws.security.WSSecurityException: Signature creation failed; nested exception is: java.lang.Exception: Cannot find key for alias: [monit] org.apache.ws.security.WSSecurityException: Error during Signature: ; nested exception is: org.apache.ws.security.WSSecurityException: Signature creation failed; nested exception is: java.lang.Exception: Cannot find key for alias: [monit] at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:60) at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202) at org.apache.ws.axis.security.WSDoAllSender.invoke(WSDoAllSender.java:168) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at cz.ing.oopf.model.wsclient.ModelWebServiceSoapBindingStub.getStatus(ModelWebServiceSoapBindingStub.java:213) at cz.ing.oopf.wsgemonitor.monitor.util.MonitorUtil.checkStatus(MonitorUtil.java:18) at cz.ing.oopf.wsgemonitor.monitor.Test02WsMonitor.runTest(Test02WsMonitor.java:23) at cz.ing.oopf.wsgemonitor.Main.main(Main.java:75) Caused by: org.apache.ws.security.WSSecurityException: Signature creation failed; nested exception is: java.lang.Exception: Cannot find key for alias: [monit] at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:721) at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:780) at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57) ... 15 more Caused by: java.lang.Exception: Cannot find key for alias: [monit] at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:214) at org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:713) ... 17 more How to have two certificates for wss4j in the same keystore? why it cannot find my certificate there when i have two certificates in one keystore. I have the same password for both certificates regarding PWCallback (CallbackHandler) My properties file: org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=keystore org.apache.ws.security.crypto.merlin.keystore.alias=monit org.apache.ws.security.crypto.merlin.alias.password=*** org.apache.ws.security.crypto.merlin.file=key.jks My client-config.wsdd: <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <globalConfiguration> <requestFlow> <handler name="WSSecurity" type="java:org.apache.ws.axis.security.WSDoAllSender"> <parameter name="user" value="monit"/> <parameter name="passwordCallbackClass" value="cz.ing.oopf.common.ws.PWCallback"/> <parameter name="action" value="Signature"/> <parameter name="signaturePropFile" value="monit.properties"/> <parameter name="signatureKeyIdentifier" value="DirectReference" /> <parameter name="mustUnderstand" value="0"/> </handler> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="session"/> </handler> <handler type="java:org.apache.axis.handlers.JWSHandler"> <parameter name="scope" value="request"/> <parameter name="extension" value=".jwr"/> </handler> </requestFlow> <responseFlow> <handler name="DoSecurityReceiver" type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="user" value="other"/> <parameter name="passwordCallbackClass" value="cz.ing.oopf.common.ws.PWCallback"/> <parameter name="action" value="Signature"/> <parameter name="signaturePropFile" value="other.properties"/> <parameter name="signatureKeyIdentifier" value="DirectReference" /> </handler> </responseFlow> </globalConfiguration> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"> </transport> </deployment> Listing from keytool: keytool -keystore monit-key.jks -v -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: other Creation date: Jul 22, 2009 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: .... Alias name: monit Creation date: Oct 19, 2009 Entry type: trustedCertEntry

Read the article
Creating Custom Assertions in Oracle Web service Manager (OWSM)

- by sachin

I am trying to create example given at this site: http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/custom_assertions.htm#CIHFGJAG but While compiling I get following errors: Error(63,64): cannot access oracle.annotation.logging.Publish Error: error: in class file D:\Installations\Oracle\Middleware_11g\oracle_common\modules\oracle.wsm.common_11.1.1\wsm-policy-core.jar/oracle/wsm/resources/enforcement/EnforcementMessageID.class: unknown enum constant oracle.annotation.logging.Publish.NO Error(69,28): cannot access oracle.annotation.logging.Category Error(70,48): cannot find variable FAULT_FAILED_CHECK Error(75,17): cannot access oracle.annotation.logging.Severity I have included: wsm-policy-core.jar, wsm-agent-core.jar findjars.com shows oracle.annotation.logging.Publish present in: logging-utils.jar I downloaded latest oc4j, but still not able to find this jar or resolve the issue. Please help!

Read the article
Session Id in url and/or cookie? [closed]

- by Jacco

Most people advice against rewriting every (internal) url to include the sessionId (both GET and POST). The standard argument against it seems to be: If an attacker gets hold of the sessionId, they can hijack the session. With the sessionId in the url, it easily leaks to the attacker (by referer etc.) But what if you put the sessionId in both an (encrypted) cookie and the url. if the sessionId in either the cookie or the url is missing or if they do not match, decline the request. Let's pretend the website in question is free of xss holes, the cookie encryption is strong enough, etc. etc. Then what is the increased risk of rewriting every url to include the sessionId? UPDATE: @Casper That is a very good point. so up to now there are 2 reasons: bad for search engines / SEO if used in public part of the website can cause trouble when users post an url with a session Id on a forum, send it trough email or bookmark the page apart from the: It increases the security risk, but it is not clear what the increased risk is. some background info: I've a website that offers blog-like service to travellers. I cannot be sure cookies work nor can I require cookies to work. Most computers in internet cafes are old and not (even close to) up-to-date. The user has no control over them and the connection can be very unreliable for some more 'off the beaten path' locations. Binding the session to an IP-address is not possible, some places use load-balancing proxies with multiple IP addresses. (and from China there is The Great Firewall). Upon receiving the first cookie back, I flag cookies as mandatory. However, if the cookie was flagged as mandatory but not there, I ask for their password once more, knowing their session from the url. (Also cookies have a 1 time token in them, but that's not the point of this question). UPDATE 2: The conclusion seems to be that there are no extra *security* issues when you expose you session id trough the URL while also keeping a copy of the session id in an encrypted cookie. Do not hesitate to add additional information about any possible security implications

Read the article
Using clang to analyze C++ code

- by aneccodeal

We want to do some fairly simple analysis of user's C++ code and then use that information to instrument their code (basically regen their code with a bit of instrumentation code) so that the user can run a dynamic analysis of their code and get stats on things like ranges of values of certain numeric types. clang should be able to handle enough C++ now to handle the kind of code our users would be throwing at it - and since clang's C++ coverage is continuously improving by the time we're done it'll be even better. So how does one go about using clang like this as a standalone parser? We're thinking we could just generate an AST and then walk it looking for objects of the classes we're interested in tracking. Would be interested in hearing from others who are using clang without LLVM.

Read the article
architecture mismatch between the Driver and Application?

- by shane87

I am using JDBC to connect to my microsoft access database. I get the following exception when I try to connect to the database: java.sql.SQLException: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application I am using 64bit windows7, and I am using eclipse which is also a 64bit version My database is a microsoft access database and it seems that the driver is a 32bit driver which is causing the problem. I read somewhere that microsoft has not released a 64bit driver for microsoft access! Any help on how to solve this problem would be greatly appreciated.

Read the article
how i can get AspNetAccessProvider?

- by loviji

Hello, in my asp.net web application i used ASPNetSQLProvider for membership. Now i need use ASPNETAccessProvider. I wrote in webconfig file: <membership defaultProvider="AccessMembershipProvider" > <providers> <clear /> <add name="AccessMembershipProvider" type="System.Web.Security.AccessMembershipProvider" connectionStringName="AccessConnection" /> </providers> </membership> and trying to create user, and code fails : Could not load type 'System.Web.Security.AccessMembershipProvider'. How can i fix this?

Read the article
PartCover shows 0% coverage for getter and 100% coverage for setter despite the code being commented

- by Gorgsenegger

Hi all, I have a public property in my code as below: [DependencyInjection] public IEVentController EventController { get; set; } I also have a line of code referencing the EventController property: EventController.ExecuteObjectEvents( someObject, null ); Now currently (due to some missing implementation in another part of the application) I commented both these code sections out. Nevertheless, when I run PartCover it shows me a coverage of 0% for get_EventController and 100% for set_EventController. The strange thing is, that the Coverage Details view also correctly shows me that the code is commented out and therefore should not be treated as code - why does PartCover recognise it anyway? I would have expected to not get the getter and setter listed in the PartCover result. There is definitely no other reference to that code in the class to be tested, any ideas? Thanks in advance & Best regards G.

Read the article
Call a protected method from outside a class in PHP

- by Chad Johnson

I have a very special case in which I need to call a protected method from outside a class. I am very conscious about what I do programmingwise, but I would not be entirely opposed to doing so in this one special case I have. In all other cases, I need to continue disallowing access to the internal method, and so I would like to keep the method protected. What are some elegant ways to access a protected method outside of a class? So far, I've found this. I suppose it may be possible create some kind of double-agent instance of the target class that would sneakily provide access to the internals...

Read the article
Test assembly code on a mac

- by happyCoding25

Hello, A while back I was following some tutorials an assembly. I was running it all on a windows machine, compiling with NASM and then writing the compiled code to a floppy disk, then reboot and try the code. This process was long and time consuming and sadly was not on a mac. When I found out that Xcode for mac installed NASM I immediately tried to compile some code. The code compiled fine. The issue is testing it. On a mac I have no floppy (not like I want to use one) so Im not sure how to test this. I looked in to Q (kju) and found it would only emulate things on an ISO file. So I guess what Im asking is is it possible to install the compiled code on an ISO file for testing? (Note: the code when compiled forms a .bin file) Thanks for any help

Read the article
Easiest way of unit testing C code with Python

- by Jon Mills

I've got a pile of C code that I'd like to unit test using Python's unittest library (in Windows), but I'm trying to work out the best way of interfacing the C code so that Python can execute it (and get the results back). Does anybody have any experience in the easiest way to do it? Some ideas include: Wrapping the code as a Python C extension using the Python API Wrap the C code using SWIG Add a DLL wrapper to the C code and load it into Python using ctypes Add a small XML-RPC server to the c-code and call it using xmlrpclib (yes, I know this seems a bit far-out!) Is there a canonical way of doing this? I'm going to be doing this quite a lot, with different C modules, so I'd like to find a way which is least effort.

Read the article
Generate an LTPA token?

- by Shadowman

We have a need to integrate a server with our WebSphere environment that does not support LTPA. I found the blog post here and corresponding code to decode the information in an LTPA token. However, there's no code explaining the digital signature and how that's generated/validated. Does anyone have any information on how to generate an LTPA token in custom code?

Read the article
How to use Custom AuthorizeAttribute for controller utilizing parameter value?

- by RSolberg

I am trying to secure a controller action to prevent a user from accessing an Entity that they do not have access to. I am able to do this with the following code. public ActionResult Entity(string entityCode) { if (CurrentUser.VerifyEntityPermission(entityCode)) { //populate viewModel... return View(viewModel); } return RedirectToAction("NoAccessToEntity", "Error"); } I would like to be able to add an attribute to the controller action itself. In order to validate the access to the entity, I need to see what value has been passed to the controller and what entities the user has access to. Is this possible? [EntityAuthRequired] public ActionResult Entity(string entityCode) { //populate viewModel... return View(viewModel); }

Read the article
General ODBC Error in VBA

- by raam

Hi am populating the data from MS Access By Using VBA i am using below mentioned code.if i am run the same code in MS 2007 then It run properly but if i am run the same code in MS 2003 it gives the "General ODBC Error" how to solve this problem Any help would be appreciated!! Thanks in advance Sub Button2_Click() Dim varConnection As String Dim varSQL As String Dim cal, cal1, x varConnection = "ODBC; DSN=MS Access Database;DBQ=D:\Box\Generate.mdb;Driver={Driver do Microsoft Access (*.mdb)}" ' varSQL = "SELECT * FROM Empdata" With ActiveSheet.QueryTables.Add(Connection:=varConnection, Destination:=ActiveSheet.Range("C7")) .CommandText = varSQL .Name = "Query-39008" .Refresh BackgroundQuery = False End With End Sub

Read the article
Do you have any tips for comments code to keep them in step with the code?

- by Rob Wells

G'day, I've read both of Steve McConnell's excellent Code Complete books "Code Complete" and "Code Complete 2" and was wondering if people have any other suggestions for commenting code. My commenting mantra could be summed up by the basic idea of expressing "what the code below cannot say". While enjoying this interesting blog post by Jeff about commenting I was still left wondering "When coding, when do you feel a comment is required?" Edit: Oops. Seems to be a duplicate of this question http://stackoverflow.com/questions/121945/how-do-you-like-your-comments so sorry for the noise. Thanks to my, seemingly, SO shadow for pointing it out - wouldn't have thought I was that interesting. Now off to read the original post and see if it is relevant. Edit: I meant to emphasise the best appraoch to ensure that your comments will stay in step with the code. Maybe expressing an intent rather than the mechansim for instance.

Read the article
seeing C# windows forms project code from F#

- by Pessimist

I have a C# Windows Forms project open with some C# code in it. Question: How can I have an F# file that I can write F# code in but still referencing all the C# code I have on Form1.cs (including the GUI). I can successfully do this: - Create a C# Windows Forms project - Create a F# Library project - Reference the F# Library DLL from my C# project - That way I can call F# functions from C# But I still can't see my buttons and textboxes from F# I understand that that is because it's a library and it can't reference System.Windows.Forms So how do I fix this? I don't want it to be a library or this or that, I just want it to be a file that will allow me to write F# code while being able to reference my C# Form and code. I guess you can say I want an F# file that is also a "partial class Form1" so that I can continue writing code for the same Project, but using F# instead. How do I do that?

Read the article
showSettings callback in Flex?

- by Jim Robert

I am pretty new to flex, so forgive me if this is an obvious question. Is there a way to open the Security.showSettings (flash.system.Security) with a callback? or at least to detect if it is currently open or not? My flex application is used for streaming audio, and is normally controlled by javascript, so I keep it hidden for normal use (via absolute positioning it off the page). When I need microphone access I need to make the flash settings dialog visible, which works fine, I move it into view and open the dialog. When the user closes it, I need to move it back off the screen so they don't see an empty flex app sitting there after they change their settings. thanks :)

Read the article
how to profile my code??

- by kaki

i want to how to profile my code... i have gone through the docs , but as there were no example codes given i could not get anything from it. i have a large code and it is taking so much time hence want to profile and increase its speed. i havent written my code in method , there are few in between but not completely. i dont have any main in my code..i want to know how to use profiling.. looking for some example or sample code of about how to profile.. i tried psyco i.e just addded two line at the top of my code import psyco psyco.full() is this write,it did not show any improvement. and other way of speeding up ,please suggest. thanks in advance..

Read the article
How's my pygame code?

- by Isaiah

I'm still getting the hang of lots of things and thought I should post some code I made with pygame and get some feedback^^. I posted code here: http://urlvars.com/code/snippet/39272/my-bouncing-program http://urlvars.com/code/snippet/39273/my-bouncing-program-classes There's tome things that I implemented that I'm not using yet I just realized like a timer at the bottom of the main while loop. If my code isn't readable, I'm sorry, I'm self taught and this is the first code I've ever posted anywhere. By the way I made some variables that take the screensize and half it to find a point to spit out the squares, but when I try to use it, it makes a weird effect :/ Try switching the list i have in the newbyte() function with the halfScreen variable and see it freak out o.O thank you

Read the article
Custom certificate as proof of transaction

- by Andy

I'm developing a site where a user conducts a given transaction and once completed, the user is issued with a 'secure certificate'. The certificate serves as proof of the transaction and the user is able to upload the certificate at a later stage, to view the details of the transaction. At the moment I'm using a custom XML document with encrypted fields. It works perfect, but I would like a standardized approach, such as an X.509 certificate. I'm no encryption expert, but from what I gather, X.509 is more geared towards SSL issued by a CA. Is it possible to create your own valid valid CRT file? As a test, I created a CRT file with the example provided on WikiPedia. However, when I open the file in Windows I get this warning: Invalid Public Key Security Object File - This file is invalid as the following: Security Certificate. Not having much luck here, so time to ask the experts. What direction should I be heading in? Any guidance would be greatly appreciated.

Read the article
How to secure authorization of methods

- by Kurresmack

I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

Read the article
Can an Aspect conditionally render parts of a JSP page ?

- by Scott The Scot

At present the jsp pages have normal authorize tags to conditionally render links and information etc. The website is on the intranet, and we're using Spring Security 2.0.4. Ive now got a business user who wants to allow all roles to access everything for the first few weeks, then gradually add the security back in as feedback is gathered from the business. Rather than go through every page, removing the authorize tags, only to have to put them back in, is is possible to configure these through an aspect, or is there any other way to externalize this into a config file ? I've found Spring's MethodSecurityInterceptor and the meta data tags, but these wouldn't give me the externalization. I've been on google for the last hour, and am now pretty sure this can't be done, but would love to find out I haven't been asking the right questions. Advice appreciated

Read the article
is there a such thing as a randomly accessible pseudo-random number generator? (preferably open-sour

- by lucid

first off, is there a such thing as a random access random number generator, where you could not only sequentially generate random numbers as we're all used to, assuming rand100() always generates a value from 0-100: for (int i=0;i<5;i++) print rand100() output: 14 75 36 22 67 but also randomly access any random value like: rand100(0) would output 14 as long as you didn't change the seed rand100(3) would always output 22 rand100(4) would always output 67 and so on... I've actually found an open-source generator algorithm that does this, but you cannot change the seed. I know that pseudorandomness is a complex field; I wouldn't know how to alter it to add that functionality. Is there a seedable random access random number generator, preferably open source? or is there a better term for this I can google for more information? if not, part 2 of my question would be, is there any reliably random open source conventional seedable pseudorandom number generator so I could port it to multiple platforms/languages while retaining a consistent sequence of values for each platform for any given seed?

Read the article
Code completion in NetBeans' python plugin does not work properly

- by T.K.

I am asking on StackOverflow because surely I am doing something completely silly and I hope S.O. might provide me with a quick answer. I've installed the latest stable Python-plugin for NetBeans. It works great, and I tested code completion with various packages such as sys, os and so on. It works beautifully. However, it does not seem to pick up the code completion for the code in my own project. I created a package called mypackage (it has _init_.py as well), and in it I have a module called mymodule.py. Inside mymodule I've put a class called MyClass, complete with doc-strings and all. Please refer to this screenshot to describe what happens in code-completion: As you see, it's suggesting irrelevant things, as opposed to just MyClass. (Note that if I execute mymodule.MyClass() it works 100%, it's just that I would really like code completion on my own code) Hope I'm just doing something silly here... Any ideas?

Read the article

< Previous Page | 316 317 318 319 320 321 322 323 324 325 326 327 | Next Page >