Search Results

Search found 30932 results on 1238 pages for 'rogue security software'.

Page 297/1238 | < Previous Page | 293 294 295 296 297 298 299 300 301 302 303 304 | Next Page >

How to keep a big and complex software product maintainable over the years?

- by chrmue

I have been working as a software developer for many years now. It has been my experience that projects get more complex and unmaintainable as more developers get involved in the development of the product. It seems that software at a certain stage of development has the tendency to get "hackier" and "hackier" especially when none of the team members that defined the architecture work at the company any more. I find it frustrating that a developer who has to change something has a hard time getting the big picture of the architecture. Therefore, there is a tendency to fix problems or make changes in a way that works against the original architecture. The result is code that gets more and more complex and even harder to understand. Is there any helpful advice on how to keep source code really maintainable over the years?

Read the article
Why is JavaScript not used for classical application development (compiled software)?

- by Jose Faeti

During my years of web development with JavaScript, I come to the conclusion that it's an incredible powerful language, and you can do amazing things with it. It offers a rich set of features, like: Dynamic typing First-class functions Nested functions Closures Functions as methods Functions as Object constructors Prototype-based Objects-based (almost everything is an object) Regex Array and Object literals It seems to me that almost everything can be achieved with this kind of language, you can also emulate OO programming, since it provides great freedom and many different coding styles. With more software-oriented custom functionalities (I/O, FileSystem, Input devices, etc.) I think it will be great to develop applications with. Though, as far as I know, it's only used in web development or in existing softwares as a scripting language only. Only recently, maybe thanks to the V8 Engine, it's been used more for other kind of tasks (see node.js for example). Why until now it's only be relegated only to web development? What is keeping it away from software development?

Read the article
When do you trust the data / variables

- by Wizzard

We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security. But when do you stop, once it's converted into a local variable? eg if (isValidxxx($_GET['foo']) == false) { throw InvalidArgumentException('Please enter a valid foo!'); } $foo = $_GET['foo']; fooProcessor($foo); function fooProcessor($foo) { if (isValidxxx($foo) == false) { throw Invalid...... } //other stuff } To me thats over the top. But what if you load the value from the database... I hope I make sense :)

Read the article
Are there cross-platform tools to write XSS attacks directly to the database?

- by Joachim Sauer

I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development). Is anyone aware of a similar tool? Preferably it should be: cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok) open source (I really like being able to audit my security tools) able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

Read the article
IIS reveals internal IP address in content-location field - fix

- by saille

Referring: http://support.microsoft.com/kb/q218180/, there is a known issue in IIS4/5/6 whereby it will reveal the internal IP of a web server in the content-location field of the HTTP header. We have IIS 6. I have tried the fix suggested, but it has not worked. The website is configured to send all requests to ASP.NET, and I am wondering if this is why the fix, which addresses IIS configuration, has not worked for us. If this is the case, how would we fix this in ASP.NET? We need to fix this issue in order to pass a security audit.

Read the article
Copyrighting software, templates, etc. under real name or screen name?

- by Abluescarab

My question is hopefully simple--should I copyright my work (art, software, web design, etc.) under my real name or my screen name? My real name and screen name are also easily connected with a bit of searching, so does it really matter in the end? I'm not a professional (at this point). I read this article: Is it a bad idea to sell Android apps in the Android Market under your real name? and they recommended releasing on the app market under a company name. I also read this article: On what name should I claim copyright in open source software?, but that didn't answer my question. I know it probably matters for big projects, but for little projects, does it matter? Thanks ahead of time!

Read the article
How to make an Asp.net MVC 2 website have a Private Beta Mode.

- by Mark Kitz

I am creating an ASP.Net MVC website that I am launching soon in private beta. What I am using. ASP.NET MVC 2 ASP.NET Sql Membership Provider Authorization Attributes on ActionMethods. ex. [EditorsOnly] What I am trying to accomplish: During the private Beta period of my website, I want no anonymous users to access my site. Only Beta Testers of my site should be able to login and use my site as normal. After the private beta period people can access it using the security structure I already have set up. I am hoping I do not have to recompile but can have a setting in the webconfig to switch between Private Beta mode to Normal mode. Thanks for your suggestions.

Read the article
Listing technologies on a resume for a software position when your background is game programming?

- by Ford

So I'm thinking about applying for a entry level position in the software industry but my limited experience working and all my notable experience in college is with game technologies. Sure, the languages transfer over well but most of the technologies I have experience with are all related to graphics programming, engines of various types, and such, and do not transfer over at all. I feel like it would be inappropriate to just take my game programming resume and basically replace the word game with software for the reasons mentioned but on the other hand if I take them out I will only have languages and some technologies that I have some small passing experience with- which will obviously not reflect well on me. Should I leave them out or put them in, and if so how can I spin them to be appropriate?

Read the article
Is php fileinfo sufficient to prevent upload of malicious files?

- by Scarface

Hey guys, I have searched around a bit, and have not really found a professional type response to how to have secure fileupload capability so I wanted to get the opinion of some of the experts on this site. I am currently allowing upload of mp3s and images, and while I am pretty confident in preventing xss and injection attacks on my site, I am not really familiar with fileupload security. I basically just use php fileinfo and check an array of accepted filetypes against the filetype. For images, there is the getimagesize function and some additional checks. As far as storing them, I just have a folder within my directory, because I want the users to be able to use the files. If anyone could give me some tips I would really appreciate it.

Read the article
Detect IE setting: check for newer versions of stored pages "never"

- by xx

I understand there isn't a way to interrogate a users IE settings directly due to security reasons, but is there a way to derive this answer with some other mechanism? I would like to stop a user from using my site if the setting "Check for newer versions of stored pages" is set to "Never". Any suggestions? Is there a way I could test for this using javascript? An example of what I am trying to accomplish is this: While it is not possible to check IE settings to see if you are running a popup blocker, that is a way to "test" for a popup blocker via javascript. I am looking for something similiar but for the cache setting, not the popup blocker.

Read the article
Websphere exception handling

- by Benjamin

Hi all, From a security standpoint, what is the best solution to handle application errors with Websphere? I've been thinking of creating a class that is called every time an application error is generated, log the error and display a generic error message to the users. In PHP this can be achieved using the set_exception_handler() function. Is there something similar for websphere that could be configured in the web.xml? I've found codes like this on the internet: <error-page> <error-code>500</error-code> <location>/servlet/ExceptionHandlerServlet</location> </error-page> But that would only work with "500" HTTP error codes. I really want something generic that catches everything. Something like a class that implements a certain interface which can have access to all information about the error. Thanks for your time.

Read the article
Secure database connection. DAL .net architecture best practice

- by Andrew Florko

We have several applications that are installed in several departments that interact with database via Intranet. Users tend to use weak passwords or store login/password written on a shits of paper where everybody can see them. I'm worried about login/password leakage & want to minimize consequences. Minimizing database-server attack surface by hiding database-server from Intranet access would be a great idea also. I'm thinking about intermediary data access service method-based security. It seems more flexible than table-based or connection-based database-server one. This approach also allows to hide database-server from public Intranet. What kind of .net technologies and best practices would you suggest? Thank in you in advance!

Read the article
Sanitizing CSS in Rails

- by Erik

Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

Read the article
What steps should be taken to make sure your software is usable by disabled people?

- by Cromulent

I want to make sure a piece of software I am writing is usable by people with various disabilities such as blindness and an inability to use a mouse and / or keyboard. Unfortunately I have no experience with things such as screen readers or other methods that disabled people use to make using a computer easier / possible. I've never really had much experience with disabilities at all and unfortunately I don't know any disabled people who I can ask. I was wondering what other people do to make sure that their software is available to a wide range of people with varying abilities? This seems to be a subject matter that is often ignored by developers and I think it is a real shame.

Read the article
How do I tell which account is trying to access an ASP.NET web service?

- by Andrew Lewis

I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?

Read the article
How can a new programmer impress the software engineer (boss)? [closed]

- by Pablo

Note 1/8/2011: As of this Monday, I'm the new software engineer. Turns out I did not impress the S.E., but ended impressing the CEO. See Joel, not everyone has to leave their Honda idling in front of the airport. =) Ashton, this one is for you buddy. Hi, I'm working at my first programming job. My boss is a very smart software engineer, and I feel like I have very little to offer compared to him. Problem is, he is always busy, and needs someone to help him out. I feel like I'm not good enough, but I still want to succeed. I want to be a great programmer. What can I do to impress him? Thank you.

Read the article
Reliably detect caller domain over cURL request?

- by Utkanos

OK so server-side security is not my forte. Basically, I'm building a service which users may use (via an SDK) only on the domain they stipulated when they signed up. The SDK calls my web service over cURL in PHP. Would I be right in thinking I cannot reliably detect the caller domain, i.e. enforce that it is the same domain they stipulated when signing up? cURL of course sends this over headers, but headers can always (?) be faked. Is there a better course of action to enforce domain for this sort of thing? (NB I'm already using an API key, too - it's just I wanted to restrict domain, too) Thanks in advance

Read the article
Accepting bank account information in a form

- by jeffthink

What security concerns are there when accepting a user's bank account information (account number and routing number) via a form on a page that is using SSL, and posting it back to the server where I then curl off a HTTPS request to send that information to an ACH service like First ACH or ACH Direct via their API? We wouldn't be saving the bank account information in our database. I know another option is to use Paypal's Mass Pay API, but they think it's unprofessional (at least for their business) to require customers to have a paypal account to get paid. Thoughts?

Read the article
session is lost after successful login?

- by sword101

greetings all um using spring security 3.0.2,all the application pages are secured to see them you must be authenticated um using https protocol i have a strange problem that after successful login and got to the requested page when try to open any link to other pages in the application the session is invalidated or lost or what happened i don't know and the user become anonymous,and redirected to the login page and i got this from debugging: No HttpSession currently exists No SecurityContext was available from the HttpSession: null. A new one will be created. after reviewing the coe many times,nothing in the code is invalidating the session,any ideas why something like this might happen?

Read the article
How to deal with "software end-of-life" situations?

- by rwong

When a vendor declares that they no longer intend to provide any support or services to a piece of software (and stated the intent to exit the business - offering no upgrade paths), and stated that customers must pay a nominal fee in order to have the existing data exported, what kind of recourse do programmers/customers have? Things I can think of: Need to purchase spare hardware and set up a spare environment on which the software can continue to operate. Various data export methods which do not require vendor involvement. (For example, screen scraping, printing to image followed by re-scanning, etc) Parallel systems where staff will duplicate the old data into a new system manually or semi-automatically Legal means, in case the vendor is in financial trouble Any other ideas? Assuming that there is no "circumvention" involved (no DRM, no DMCA), is data recovery or reverse engineering legal/acceptable?

Read the article
What software programming languages were used by the Soviet Union's space program?

- by shamp00

I got interested in the Soviet space program and was interested to discover that the software on the Buran spacecraft circa 1988 was written in Prolog. Does anyone know what languages might have been used in earlier missions, especially the Mars PrOP-M rover missions of the early 1970s which were somewhat autonomous and could navigate obstacles? Edit My source for the Buran Prolog is this declassified document from the CIA site from May 1990. I couldn't find an OCR version, so here's the relevant quote from p. 0449: According to open-source literature, the Soviets used the French-developed programming language known as Prolog to develop on-board system software for the Buran vehicle...

Read the article
php Form to Email sanitizing

- by Jacob

Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

Read the article
12.04 Software "RAID 0" on desktop replacement, 2 HDD?

- by gregzeng

Hardware: HP Pavilion DV7 notebook: 8GB DDR3, 2x 750GB SATA2 HDD, I7 c+ Radeon GPU, eSATA, Bluray, etc. Currently multiboot with Win7-64 + choice of 5 'buntu-64. Prefer Xubuntu-64-alternate, but not able to install software RAID-0 at the last active partition on both HDDs. Tried many types: real boot partition, etc. All my Linux op sys boot successfully from the extended partitions on both drives, but without RAID of any kind. Theory - yes. But has anyone really succeeded with 12.04 software RAID-0?

Read the article
Disadvantages of hard coding credentials? What's the resolution?

- by SeeBees

I am building a Sharepoint web part that will be used by all users. The web part connects to a web service which needs credentials with higher privileges than common users. I hard coded credentials in the web part's code. query.Credentials = new System.Net.NetworkCredential("username", "password", "domain"); query is an instance of the web service class This may not be a good approach. In regard with security, source code of the web apart is available to people who are not allowed to see the credential. This is bad enough, But is there any other drawback of this approach? How to prevent hard coding credentials into the source code? Thanks

Read the article
Is there a formal name for gradually activating software changes?

- by g .

At times when we develop new features or functionality, we gradually "turn it on" to ensure a smooth transition and minimal impact for users. Instead of one big sudden change, we are able to control with the configuration aspects of the functionality that make it more or less intrusive to the user. This is all done in the same release/version of the software, so no software development changes are required (unless bugs turn up that need to be fixed). For example, initially we may only perform logging or analysis of data without acting upon it. Or we make something optional for a period of time before it becomes compulsory. The idea is that this reduces the potential for problems either on the technical side as well as unexpected changes by the user. The question is, is there a formal name for this approach?

Read the article

< Previous Page | 293 294 295 296 297 298 299 300 301 302 303 304 | Next Page >