Microsoft Access 2010 and ODBC Connection string security

I am using Microsoft Access 2010 with unbound forms. No linked tables allowed, otherwise the connections string is stored in the table definitions. So it follows that we will use a query definition with no name to access SQL SERVER. This is recommended by Microsoft. We need to get the connection string from somewhere though. So it is recommended to return it from a method with a obfuscated name. It is recommended not to embed the connection string in plain text in the application source. So we use encryption.A good way of doing this is to requi...Read more

security - user and row level logging in ms access 2010

I recently developed an MS Access 2010 database and I want to add functionality that tracks the activity of each user. It occurs to me that I can create an Activity table and then add code to each form which adds a row to the Activity table whenever a user creates, views, edits, or deletes a record in the database. But how do I do the following: 1.) Identify a specific user: Is there a User object so that calling something like User.getName() returns "JaneDoe" or "SallySmith" and I can thus store history for that specific user in t...Read more

security - SSO with CAS or OAuth?

I wonder if I should use the CAS protocol or OAuth + some authentication provider for single sign-on.Example Scenario:A User tries to access a protected resource, but is not authenticated.The application redirects the user to the SSO server.If beeing authenticated the user gets a token from the SSO server.The SSO redirects to the original application.The original application checks the token against the SSO server.If the token is ok, access will be allowed and the application knows of the user id.The user performs a log-out and is logged out fr...Read more

security - How to securely provide private SSL keys to Cloud Foundry apps?

I have an app that I want to run in Cloud Foundry (specifically, in IBM Bluemix). This app will call out to a number of third-party services/APIs, most of which are not managed via CF services. One of these APIs requires my app to use an SSL key to authenticate, so my app needs access to a private SSL key.My app is deployed from an automated pipeline (specifically, IBM Bluemix DevOps Pipelines) based off of source from a GitHub repo and some small scripts saved in the pipeline config.It seems like a bad idea to keep the private key file in the ...Read more

security - Managing opened ports and ASGs in pivotal

I need to leave only several ports open(e.g. 80 and 443). I've read about ASGs, created json file with rules. But when I try to create ASG through terminal - it says Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action. When I tried to found a solution - some sources said that I need to do it in web console - but I don't have such menu items. The questions arehow I can manage ASGs ?do ASGs allow to fully control incoming and outgoing traffic ?...Read more

security - Disable browser 'Save Password' functionality

One of the joys of working for a government healthcare agency is having to deal with all of the paranoia around dealing with PHI (Protected Health Information). Don't get me wrong, I'm all for doing everything possible to protect people's personal information (health, financial, surfing habits, etc.), but sometimes people get a little too jumpy.Case in point: One of our state customers recently found out that the browser provides the handy feature to save your password. We all know that it has been there for a while and is completely optional a...Read more

security - Impact of AWS Account Identifiers

I'm using Amazon's tools to build a web app. I'm very happy with them, but I have a security concern.Right now, I'm using multiple EC2 instances, S3, SimpleDB and SQS. In order to authenticate requests to the different services, you include your Access Identifiers (login required). For example, to upload a file to S3 from an EC2 instance, your EC2 instance needs to have your Access Key ID and your Secret Access Key.That basically means your username and password need to be in your instances.If one of my instances were to be compromised, all of ...Read more

security - Apigee for internal microservices

Recently I split a big monolithic enterprise application in a bunch of microservices in CloudFoundry, that will feed Spark etc... Just one of them is on the edge and communicates with a service exposed externally. At this stage, we've been asked to add an additional security layer with Apigee. Unfortunately at this stage we cannot use oauth2 yet. My question is: should I use Apigee only on the edge or all the internal microservices should leverage Apigee API as well? My concern is about performance if each service calls Apigee proxy....Read more

security - Keycloak - Chain User Federation Providers together

I currently have an LDAP user federation provider and a custom UserStorageProvider spi I wrote to look into my sqlserver DB for user groups. To fully login I need to pass back the user groups to the application, so, they are part of the claims in the KeycloakSecurityContext token string. Right now either my custom spi validates or the LDAP provider validates depending on the priority number I specify. Is there a way to force keycloak to validate first using the LDAP provider and then also execute the custom provider?...Read more

security - Option for Securing docker socket

ObjectiveUnderstand the options to secure the docker.sock.BackgroundAs in those articles, giving access to docker.sock is a risk. Don't expose the Docker socket (not even to a container)Access Docker socket within containerHowever there could be cases where we need to deploy a pod such which needs to talk to docker daemon via the socket for monitoring or controlling. For example datadog which mounts the socket via hostPath mount.OptionsOpenShift requires explicit grant of SCC e.g. hostaccess to the service account which runs the pod for the pod...Read more

security - ARM TrustZone, connecting peripherals?

I'm currently doing some research about ARM's TrustZone, e.g. here: ARM information center. As far as I understand, with TrustZone a secure environment based on the AMBA AXI bus can be created. On ARM website it says: "This concept of secure and non-secure worlds extends beyond the processor to encompass memory, software, bus transactions, interrupts and peripherals within an SoC." I read that peripherals can be connected to TrustZone via the NonSecure-bit of the AMBA AXI bus (The extra signal is used to differentiate between trusted and non-t...Read more

security - Snort+Barnyard with Graylog

I have installed Snort and Barnyard2 following this guide.I was about to install BASE but it requires PHP5 and it's no longer supported. I have PHP7 installed and cannot downgrade it.After a bit of lurking I decided to use Graylog2 to view the logs.Snort is configured to log in unified2 format then barnyard2 reads that and saves it to MySQL database.As far as I understood (not much) logging to MySQL is pointless without BASE and I need to forward the logs to Graylog.Now, should I 1) Remove Barnyard and tell Snort to log in human-readable format...Read more

security - Why is it vulnerable to bind docker daemon to 0.0.0.0?

Recently I was getting an error in my docker gitlab CI container:Cannot connect to the Docker daemon. Is the docker daemon running on this host?I found this thread where one post suggests:sudo service docker stop && sudo nohup docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock &Eventually I got an abuse warning at my server host that my box was port scanning all over port 2375I found an instance of https://hub.docker.com/r/kannix/monero-miner/killed it ten times and eventually rebooted, and it has not returned since....Read more