What does it mean to trust the cloud? More than access controls, encryption, and firewalls, it means that cloud success requires accountability and visibility.
pac4j is a full security library, easy and powerful, which supports authentication and authorization, but also application logout and advanced features like CSRF protection.
On the heels of the Kinesis Firehose announcement, more people are going to be looking to integrate Kinesis with logging systems. Here is one take on solving that problem that integrates syslog-ng with Kinesis.
By default, sources of a dependency are downloaded and added to a project, but not Javadoc sources. Gradle can use IntelliJ IDEA and Eclipse project files to download them.
I am going to explain how to use Spring Security in a Spring MVC Application to authenticate and authorize users against user details stored in a MySQL Database.
Introduction Here in this article we are trying to discuss about the finding reference object within stored procedure and also finding the calling procedure references. Hope you like it and it will be informative. What We Want Developers are writing several stored procedure almost every day. Sometimes developers need to know about the information such as what object is used within the stored procedure or from where (SP) the specified stored procedure call. This is the vital information for the developer before working on a particular stored procedure. Here we are representing a pictorial diagram to understand the nature of implementation. Now we have to answer some question 1. What are the DB Object used in Stored Procedure1 and there type. 2. In case of Store Procedure3 which procedure calls the Store Procedure3 So we are not going to read the Stored Procedure to find the answer. Suppose the each procedure have more than 3000 line. How We Solve the Answer To solve the answer first we take the example and create an example scenario to understand it. -- Base Table CREATE TABLE T1 (EMPID INT, EMPNAME VARCHAR(50)); GO CREATE TABLE T2 (EMPID INT, EMPNAME VARCHAR(50)); GO --1 CREATE PROCEDURE [dbo].[Procedure1] AS BEGIN SELECT * FROM T1; SELECT * FROM T2; EXEC [dbo].[Procedure3]; END GO --2 CREATE PROCEDURE [dbo].[Procedure2] AS BEGIN EXEC [dbo].[Procedure3]; END GO --3 CREATE PROCEDURE [dbo].[Procedure3] AS BEGIN SELECT * FROM T1; END GO Now we are going to solve the question What are the DB Object used in Stored Procedure1 and there type. sp_depends Procedure1 In case of Store Procedure3 which procedure calls the Store Procedure3 SELECT OBJECT_NAME(id) AS [Calling SP] FROM syscomments WHERE [text] LIKE '%Procedure3%' GROUP BY OBJECT_NAME(id); Hope you like it.
LANDESK One Partnership Brings WinMagic's Encryption and Intelligent Key Management Solution, SecureDoc, to LANDESK Customers LONDON - 01 July, 2015 - LANDESK today announced it has certified and is now reselling WinMagic's suite of SecureDoc products as part of its LANDESK One Partner program. The integration between LANDESK Management Suite and WinMagic SecureDoc brings the encryption status of the organisation's devices into the LANDESK management database. Given the seemingly endless news of high-profile data theft, LANDESK's relationship with WinMagic, the global innovator in key management and full disk encryption, bolsters the LANDESK security management software portfolio by allowing customers to protect data at rest. This partnership allows system administrators and security professionals to utilise a single tool for querying and reporting on encryption status alongside any other hardware or software attribute, streamlining the visibility necessary to ensure the safety and security of the organisation's assets. "The partnership between LANDESK and WinMagic allows LANDESK customers to better utilize WinMagic's world-class encryption capabilities," said Steve Workman, vice president of strategy at LANDESK. "WinMagic's SecureDoc broadens and enriches LANDESK's security portfolio, giving users the peace of mind so they can do what they do best. WinMagic's approach to full disk encryption (FDE) was a main impetus for our partnership." WinMagic's SecureDoc encrypts data on various devices, closely manages encryption keys and enables seamless user authentication and data access, so encryption does not inhibit productivity. SecureDoc protects data on the endpoint, where the data is created, regardless of the device or platform where it's accessed or saved. By deploying WinMagic's SecureDoc as LANDESK's recommended FDE vendor and integrating SecureDoc reporting into the LANDESK console, LANDESK customers receive the following: Encryption transparency. SecureDoc reports on which devices are encrypted as part of LANDESK's comprehensive compliance reporting features, aiding in regulatory compliance. A single console view. This view that encompasses all endpoint security and encryption across all devices and all operating systems. It does all of this with transparent intelligent key management, allowing users to gain deep insight into their security. FDE technology. Being application-aware, WinMagic solutions not only manage the keys but also the related policy and configuration for endpoint encryption. A predefined integration between the companies' products has been certified and is immediately available to LANDESK customers who use WinMagic. LANDESK customers who do not have WinMagic can now contact their LANDESK representative to begin evaluating how WinMagic can improve their security. "LANDESK and WinMagic agree that managing security at the endpoint is vital to protecting sensitive data and ensuring compliance, and WinMagic's offering integrates seamlessly into LANDESK's suite of solutions," said Mark Hickman, COO of WinMagic. "With this partnership, WinMagic has earned the endorsement of LANDESK, a systems and security management software company trusted by numerous companies in many industries. It's a testament to the proven and widely deployed WinMagic solution." LANDESK One Partners provide solution integrations that support the LANDESK vision of user-centered service management and help customers tackle their most pressing issues and gain maximum value from their technology investments. For more information visit: www.landesk.com/partners/landesk-one.
introduction to explain why you have to use parameterized query to avoid sql injection over concatenated inline query it needs to know about sql injection. what does sql injection mean? it means when any end user send some invalid inputs to perform any crud operation or forcibly execute the wrong query into the database, those can be harmful for the database. harmful means ‘data loss’ or ‘get the data with invalid inputs. to know more, follow the below steps. step 1: create a table named ‘login’ in any database. create table user_login ( userid varchar(20), pwd varchar(20) ) now save some user credentials into the database for login purpose and select the table. insert into user_login values('rahul','bansal@123') insert into user_login values('bansal','rahul@123') step 2: create a website named ‘website1’. now i will create a login page named ‘default.aspx’ to validate the credentials from the ‘login’ table and if user is valid then redirect to it to the next page named ‘home.aspx’. add 2 textboxes for userid & password respectively and a button for login. add 2 namespaces in the .cs file of the ‘default.aspx’. using system.data.sqlclient; using system.data; now add the following code to validate the credentials from the database on click event of login button. protected void btn_login_click(object sender, eventargs e) { string constr = system.configuration.configurationmanager.connectionstrings["constr"].connectionstring; sqlconnection con = new sqlconnection(constr); string sql = "select count(userid) from user_login where userid='" + txtuserid.text + "' and pwd='" + txtpwd.text + "'"; sqlcommand cmd = new sqlcommand(sql, con); con.open(); object res = cmd.executescalar(); con.close(); if (convert.toint32(res) > 0) response.redirect("home.aspx"); else { response.write("invalid credentials"); return; } } add a new page named ‘home.aspx’. where any valid user will get welcome message. step 3: now run the ‘default’ page and log in with valid credentials. it will redirect to next page ‘home.aspx’ for valid user. note: here i have not used the textmode="password" property in password textbox to show the password. i have not used any input validations to explain my example. problem: now i will perform the sql injection with some invalid credentials with successful query execution and after that i will redirect to the next page ‘home.aspx’ as a valid user. i will enter a string in both textboxes like the following: ‘ or ‘1’=’1 now run the page and login with above string in both textboxes. it will redirect to next page name ‘home.aspx’ for valid user. see what happened. this is called sql injection in the hacking world. reason: it happened just because of the string and after filling this string in both textboxes orur sql query became like the following: select count(userid) from user_login where userid='' or '1'='1' and pwd='' or '1'='1' which will give the userid count and that is 2 in the table because 2 users are in ‘user_login’ table. it can be used in more ways like just fill the following string only in user id textbox and you will go the next page as valid user. or 1=1 - - and it will also give users count 2 because sqlquery will become like the following: select count(userid) from user_login where userid='' or 1=1 --' and pwd='' or '1'='1' note: the sign -- are for commenting the preceding text in sql. it can be more harmful or dangerous when the invalid user/hacker executes a script to drop all tables in the database or drop whole database. solution: to resolve this issue you have to do 2 things: always use parameterized query. input validations on client and server both side. sometimes if your input validation fail, then parameterized will not execute any scripted value. let’s see the example. protected void btn_login_click(object sender, eventargs e) { string constr = system.configuration.configurationmanager.connectionstrings["constr"].connectionstring; sqlconnection con = new sqlconnection(constr); string sql = "select count(userid) from user_login where userid=@userid and pwd=@pwd"; sqlcommand cmd = new sqlcommand(sql, con); sqlparameter[] param = new sqlparameter[2]; param[0] = new sqlparameter("@userid", txtuserid.text); param[1] = new sqlparameter("@pwd", txtpwd.text); cmd.parameters.add(param[0]); cmd.parameters.add(param[1]); con.open(); object res = cmd.executescalar(); con.close(); if (convert.toint32(res) > 0) response.redirect("home.aspx"); else { response.write("invalid credentials"); return; } } now if i run the page and try to login with sql scripts as done earlier. with ‘ or ‘1’=’1 with ' or 1=1 - - as you have seen parameterized didn’t execute the sql script but why? reason: the reason behind this the parameterized query would not be vulnerable and would instead look for a user id or password which literally matched the entire string. in other words ‘the sql engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the sql to be executed’. conclusion: always use parameterized query and input validations on client and server both side.
CORE
