| Groups | Blog | Home |
asp.net building controls : Security - Best Encryption Tool
I need to store the credit card information in my database. I have been looking for some third party tools which could provide encryption for credit card numbers. The help I need is: a) What is the most secure encryption tool that can be used to store credit card information? b) Any tool which implements AES and does not expect a private key to be supplied as shown in the sample application provided by Microsoft. But in this case customize tool needs to be provided as anybody can buy the tool and decrypt the information. c) What is the best way to secure a private key used by the algorithm like storing in RAM, registry, isolated storage etc? And how to implement it. d) If some code implementation, which allows encrypting securely is available. The client is ready to invest in Third Party Tool. I short listed two third party .Net components for encryption: Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) ezCrypto .NET (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Encryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS=1&bhcp=1 ) Both the above are c# implemented tools and implement AES algorithm. But the problem is both ask for private key to be supplied. And I need to store the private key in a secure manner. The work round I decided was to use the dll provided by the tool. Write some login to generate dynamically private key for each of the registered users based on his profile. Store this logic in a dll and some how secure this logic, so that no body is able to access it. But how to secure the logic is a concern, as dll can also be hacked to view its contents. One option I was looking at was to use isolated storage as provided by ..Net. But I'm not sure can we store and access a dll using isolated storage. It would be great if somebody can help me with the above problem. Regards
Guarav,
If you go with Olaf's suggestion (deriving encryption key from the user's password hash), make sure that the password is protected within a session (I assume that the user does not enter password on the page which uses the credit card number). Also, take a look at CipherSafe.NET (http://www.obviex.com/ciphersafe/); it can give you some ideas. Alek [quoted text, click to view] "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Encnews:dc575aed.0406010641.4d6cda4b@posting.google.com... > Hi > > I need to store the credit card information in my database. I have > been looking for some third party tools which could provide encryption > for credit card numbers. > > The help I need is: > > a) What is the most secure encryption tool that can be used to store > credit card information? > > b) Any tool which implements AES and does not expect a private key to > be supplied as shown in the sample application provided by > Microsoft. But in this case customize tool needs to be provided as > anybody can buy the tool and decrypt the information. > > c) What is the best way to secure a private key used by the > algorithm like storing in RAM, registry, isolated storage etc? And > how to implement it. > > d) If some code implementation, which allows encrypting securely > is available. > > > The client is ready to invest in Third Party Tool. > I short listed two third party .Net components for encryption: > > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) > > ezCrypto .NET ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS= 1&bhcp=1 [quoted text, click to view] > ) > > > Both the above are c# implemented tools and implement AES algorithm. > > But the problem is both ask for private key to be supplied. And I need > to store the private key in a secure manner. > > > The work round I decided was to use the dll provided by the tool. > Write some login to generate dynamically private key for each of the > registered users based on his profile. Store this logic in a dll and > some how secure this logic, so that no body is able to access it. But > how to secure the logic is a concern, as dll can also be hacked to > view its contents. > > One option I was looking at was to use isolated storage as provided by > .Net. > But I'm not sure can we store and access a dll using isolated storage. > > > It would be great if somebody can help me with the above problem. > > Regards > Gaurav
By the way, the only problem you need to solve is protection of encryption
key (keys). If you can do it in a safe manner, all other issues should not be a problem, since .NET Framework provides reasonably good and easy to use cryptographic classes (at least, the ones you seem to need) and there are tons of examples about encryption and decryption in C# and VB.NET on the Web. So just make sure that you encryption key (keys) is (are) safe, and use standard Rijndael/AES encryption. Also give your customers an option not to save their credit card numbers, if they do not want to. Alek [quoted text, click to view] "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message news:%23jVBIx$REHA.2520@TK2MSFTNGP11.phx.gbl... > Guarav, > > If you go with Olaf's suggestion (deriving encryption key from the user's > password hash), make sure that the password is protected within a session (I > assume that the user does not enter password on the page which uses the > credit card number). Also, take a look at CipherSafe.NET > (http://www.obviex.com/ciphersafe/); it can give you some ideas. > > Alek > > "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message > news:dc575aed.0406010641.4d6cda4b@posting.google.com... > > Hi > > > > I need to store the credit card information in my database. I have > > been looking for some third party tools which could provide encryption > > for credit card numbers. > > > > The help I need is: > > > > a) What is the most secure encryption tool that can be used to store > > credit card information? > > > > b) Any tool which implements AES and does not expect a private key to > > be supplied as shown in the sample application provided by > > Microsoft. But in this case customize tool needs to be provided as > > anybody can buy the tool and decrypt the information. > > > > c) What is the best way to secure a private key used by the > > algorithm like storing in RAM, registry, isolated storage etc? And > > how to implement it. > > > > d) If some code implementation, which allows encrypting securely > > is available. > > > > > > The client is ready to invest in Third Party Tool. > > I short listed two third party .Net components for encryption: > > > > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) > > > > ezCrypto .NET > (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Enc > ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS= > 1&bhcp=1 > > ) > > > > > > Both the above are c# implemented tools and implement AES algorithm. > > > > But the problem is both ask for private key to be supplied. And I need > > to store the private key in a secure manner. > > > > > > The work round I decided was to use the dll provided by the tool. > > Write some login to generate dynamically private key for each of the > > registered users based on his profile. Store this logic in a dll and > > some how secure this logic, so that no body is able to access it. But > > how to secure the logic is a concern, as dll can also be hacked to > > view its contents. > > > > One option I was looking at was to use isolated storage as provided by > > .Net. > > But I'm not sure can we store and access a dll using isolated storage. > > > > > > It would be great if somebody can help me with the above problem. > > > > Regards > > Gaurav > >
Svein,
DPAPI with user store cannot be used from an ASP.NET application unless you want to implement the encryption architecture using enterprise services (as described in the document you reference). In addition to being a somewhat hassle-prone, this approach posses other challenges, like authorization and performance. If you use DPAPI encryption with machine store and your machine crashes (or you move the application to a different machine, or run it on a server farm, or [fill in the blank]) you will not be able to decrypt data. This is in addition to the risk factor that any application running on the same (original) machine will be able to decrypt data. These are just the most obvious problems associated with DPAPI in this scenario. The bottom line is that while DPAPI can be the best choice in some case, it is clearly not a good option for encrypting data stored in databases (such as credit card numbers). That is unless you do not mind not being able to decrypt data. Alek [quoted text, click to view] "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message news:%23pHQpmASEHA.1936@TK2MSFTNGP10.phx.gbl... > Why not use DPAPI? > > This article describes how to create a DPAPI ibrary: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp > > If you use the User store, then only the user that encrypted the data can > decrypt it on the same machine: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp > > If you use the Machine store, then the encrypted data can only be decryped > on the same server: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp > > Sincerely > Svein Terje Gaup > > "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message > news:dc575aed.0406010641.4d6cda4b@posting.google.com... > > Hi > > > > I need to store the credit card information in my database. I have > > been looking for some third party tools which could provide encryption > > for credit card numbers. > > > > The help I need is: > > > > a) What is the most secure encryption tool that can be used to store > > credit card information? > > > > b) Any tool which implements AES and does not expect a private key to > > be supplied as shown in the sample application provided by > > Microsoft. But in this case customize tool needs to be provided as > > anybody can buy the tool and decrypt the information. > > > > c) What is the best way to secure a private key used by the > > algorithm like storing in RAM, registry, isolated storage etc? And > > how to implement it. > > > > d) If some code implementation, which allows encrypting securely > > is available. > > > > > > The client is ready to invest in Third Party Tool. > > I short listed two third party .Net components for encryption: > > > > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) > > > > ezCrypto .NET > (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Enc > ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS= > 1&bhcp=1 > > ) > > > > > > Both the above are c# implemented tools and implement AES algorithm. > > > > But the problem is both ask for private key to be supplied. And I need > > to store the private key in a secure manner. > > > > > > The work round I decided was to use the dll provided by the tool. > > Write some login to generate dynamically private key for each of the > > registered users based on his profile. Store this logic in a dll and > > some how secure this logic, so that no body is able to access it. But > > how to secure the logic is a concern, as dll can also be hacked to > > view its contents. > > > > One option I was looking at was to use isolated storage as provided by > > .Net. > > But I'm not sure can we store and access a dll using isolated storage. > > > > > > It would be great if somebody can help me with the above problem. > > > > Regards > > Gaurav > >
"gaurav khanna" <gaurav.khanna@wipro.com> schrieb im Newsbeitrag news:dc575aed.0406010641.4d6cda4b@posting.google.com... [quoted text, click to view] > The work round I decided was to use the dll provided by the tool. > Write some login to generate dynamically private key for each of the > registered users based on his profile. Store this logic in a dll and > some how secure this logic, so that no body is able to access it. But > how to secure the logic is a concern, as dll can also be hacked to > view its contents. You should use the Login-Password (PW) and do a SHA1(PW & SomeFixedKey). This SHA1-Value shouldn't made persistent, so it only exists in Memory and can be used as private Key for en-/decrypting CreditCard-Info. Changing the User-PW should be done with a transaction: 1. Show Dlg to get the old and the new PW (new PW twice). 2. Check, if NewPW1=NewPW2. 3. Check against your UserDatabase, that SHA1(OldPW)=CurrentPWInDataBase. 4. If succesful, then decrypt creditcard-info with SHA1(OldPW & SomeFixedKey) as the private key. 5. Encrypt creditcard-info with SHA1(NewPW & SomeFixedKey) as the private key. 6. Store the new PW and encrypted creditcard-info in the DataBase. 7. If no error inside transaction then commit else rollback. For secure encryption a simple RC4 should do it with a 160Bit (SHA1-hashed) Private Key. Sub ArcFour(B() As Byte, BK() As Byte) '16 MB/sec on PIII 1 GHz Dim i&, j&, k&, UB&, CC&, X As Byte, C(255) As Byte, T(255) As Byte On Error Resume Next UB = UBound(B): CC = UBound(BK) + 1 If Err Then Err.Clear: Exit Sub On Error GoTo 0 'Init Key-Arrays For i = 0 To 255: C(i) = i: T(i) = BK(i Mod CC): Next For i = 0 To 255 j = (j + C(i) + T(i)) Mod 256 X = C(i): C(i) = C(j): C(j) = X Next i 'Crypt i = 0: j = 0 For k = 0 To UB i = (i + 1) Mod 256: j = (j + C(i)) Mod 256 X = C(i): C(i) = C(j): C(j) = X B(k) = B(k) Xor C((CInt(C(i)) + C(j)) Mod 256) Next k End Sub usage then: Private Function EncryptCreditcardInfo$(CI as String, PK as String) Dim B() as Byte B=Strconv(SHA1HexString(CI) & CI, vbFromUnicode) ArcFour B, SHA1Bytes(PK) EncryptCreditcardInfo = StrConv(B, vbUnicode) End Function Private Function DecryptCreditcardInfo$(eCI as String, PK as String) Dim B() as Byte B=Strconv(eCI, vbFromUnicode) ArcFour B, SHA1Bytes(PK) DecryptCreditcardInfo = Mid$(StrConv(B, vbUnicode), 41) End Function Olaf
Why not use DPAPI?
This article describes how to create a DPAPI ibrary: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp If you use the User store, then only the user that encrypted the data can decrypt it on the same machine: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp If you use the Machine store, then the encrypted data can only be decryped on the same server: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp Sincerely Svein Terje Gaup [quoted text, click to view] "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Encnews:dc575aed.0406010641.4d6cda4b@posting.google.com... > Hi > > I need to store the credit card information in my database. I have > been looking for some third party tools which could provide encryption > for credit card numbers. > > The help I need is: > > a) What is the most secure encryption tool that can be used to store > credit card information? > > b) Any tool which implements AES and does not expect a private key to > be supplied as shown in the sample application provided by > Microsoft. But in this case customize tool needs to be provided as > anybody can buy the tool and decrypt the information. > > c) What is the best way to secure a private key used by the > algorithm like storing in RAM, registry, isolated storage etc? And > how to implement it. > > d) If some code implementation, which allows encrypting securely > is available. > > > The client is ready to invest in Third Party Tool. > I short listed two third party .Net components for encryption: > > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) > > ezCrypto .NET ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS= 1&bhcp=1 [quoted text, click to view] > ) > > > Both the above are c# implemented tools and implement AES algorithm. > > But the problem is both ask for private key to be supplied. And I need > to store the private key in a secure manner. > > > The work round I decided was to use the dll provided by the tool. > Write some login to generate dynamically private key for each of the > registered users based on his profile. Store this logic in a dll and > some how secure this logic, so that no body is able to access it. But > how to secure the logic is a concern, as dll can also be hacked to > view its contents. > > One option I was looking at was to use isolated storage as provided by > .Net. > But I'm not sure can we store and access a dll using isolated storage. > > > It would be great if somebody can help me with the above problem. > > Regards > Gaurav
Alek, I see now that you are right, and I stand corrected.
Regards Svein Terje Gaup [quoted text, click to view] "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message news:uX9dnFBSEHA.2876@TK2MSFTNGP09.phx.gbl... > Svein, > > DPAPI with user store cannot be used from an ASP.NET application unless you > want to implement the encryption architecture using enterprise services (as > described in the document you reference). In addition to being a somewhat > hassle-prone, this approach posses other challenges, like authorization and > performance. If you use DPAPI encryption with machine store and your machine > crashes (or you move the application to a different machine, or run it on a > server farm, or [fill in the blank]) you will not be able to decrypt data. > This is in addition to the risk factor that any application running on the > same (original) machine will be able to decrypt data. These are just the > most obvious problems associated with DPAPI in this scenario. The bottom > line is that while DPAPI can be the best choice in some case, it is clearly > not a good option for encrypting data stored in databases (such as credit > card numbers). That is unless you do not mind not being able to decrypt > data. > > Alek > > "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message > news:%23pHQpmASEHA.1936@TK2MSFTNGP10.phx.gbl... > > Why not use DPAPI? > > > > This article describes how to create a DPAPI ibrary: > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp > > > > If you use the User store, then only the user that encrypted the data can > > decrypt it on the same machine: > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp > > > > If you use the Machine store, then the encrypted data can only be decryped > > on the same server: > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp > > > > Sincerely > > Svein Terje Gaup > > > > "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message > > news:dc575aed.0406010641.4d6cda4b@posting.google.com... > > > Hi > > > > > > I need to store the credit card information in my database. I have > > > been looking for some third party tools which could provide encryption > > > for credit card numbers. > > > > > > The help I need is: > > > > > > a) What is the most secure encryption tool that can be used to store > > > credit card information? > > > > > > b) Any tool which implements AES and does not expect a private key to > > > be supplied as shown in the sample application provided by > > > Microsoft. But in this case customize tool needs to be provided as > > > anybody can buy the tool and decrypt the information. > > > > > > c) What is the best way to secure a private key used by the > > > algorithm like storing in RAM, registry, isolated storage etc? And > > > how to implement it. > > > > > > d) If some code implementation, which allows encrypting securely > > > is available. > > > > > > > > > The client is ready to invest in Third Party Tool. > > > I short listed two third party .Net components for encryption: > > > > > > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp) > > > > > > ezCrypto .NET > > > (http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Enc > > > ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS= > > 1&bhcp=1 > > > ) > > > > > > > > > Both the above are c# implemented tools and implement AES algorithm. > > > > > > But the problem is both ask for private key to be supplied. And I need > > > to store the private key in a secure manner. > > > > > > > > > The work round I decided was to use the dll provided by the tool. > > > Write some login to generate dynamically private key for each of the > > > registered users based on his profile. Store this logic in a dll and > > > some how secure this logic, so that no body is able to access it. But > > > how to secure the logic is a concern, as dll can also be hacked to > > > view its contents. > > > > > > One option I was looking at was to use isolated storage as provided by > > > .Net. > > > But I'm not sure can we store and access a dll using isolated storage. > > > > > > > > > It would be great if somebody can help me with the above problem. > > > > > > Regards > > > Gaurav > > > > > >
[quoted text, click to view] "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message news:u1QY4SCSEHA.1256@TK2MSFTNGP09.phx.gbl... > Alek, I see now that you are right, and I stand corrected. > So it is safe to assume that DPAPI solution is best used in small and single web site environment ? Thanks John
I don't think it is the issue of small vs. large. There are cases when DPAPI
is simply a very bad choice, such as encryption of data stored in a database. Whether the application runs on one machine or many machines, it does not matter. DPAPI can serve best for storing application configuration settings (in .config file or registry), but again you really need to understand the limitations and vulnerabilities, because in certain situations DPAPI is no more secure than its alternatives. There is a misconception that DPAPI is a silver bullet for data protection, but unfortunately it is not. In some cases it can be the best option, in other cases, it is not. Alek [quoted text, click to view] "WJ" <JohnWebbs@HotMail.Com> wrote in message news:%23jpu7ZJSEHA.3420@TK2MSFTNGP11.phx.gbl... > > "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message > news:u1QY4SCSEHA.1256@TK2MSFTNGP09.phx.gbl... > > Alek, I see now that you are right, and I stand corrected. > > > > So it is safe to assume that DPAPI solution is best used in small and single > web site environment ? > > Thanks > > John > >
WJ wrote: "I like its [DPAPI] concepts of Machine Store for web applications
and User Store for windows form applications." Machine Store is not safe. If a hacker manages to get the WRITE access to any of the folders on a compromised machine, he can drop an application there which will decrypt any setting encrypted using DPAPI with machine store. This is not a very far-fetched scenario. DPAPI with user store for Windows forms-based applications is probably the best option, assuming that the application is always executed by the same user, which in our (corporate) environment is not the case. From my experience, the best candidates for DPAPI with user store are Windows services. Alek
[quoted text, click to view]
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message news:%23a5zyTMSEHA.3056@TK2MSFTNGP11.phx.gbl... > I don't think it is the issue of small vs. large. There are cases when DPAPI > is simply a very bad choice, such as encryption of data stored in a > database. In this case, yes, DPAPI is not built for this purpose. [quoted text, click to view] > DPAPI can serve best for storing application configuration > settings (in .config file or registry) In my opinion, DPAPI is built for this purpose only. I think it is very effecitive against internal abuse/hacks. [quoted text, click to view] > ....understand the limitations and vulnerabilities, because in certain > situations DPAPI is no more secure than its alternatives. There is a > misconception that DPAPI is a silver bullet for data protection, but > unfortunately it is not. There is no such thing called "absolute secure". [quoted text, click to view] > In some cases it can be the best option, in other cases, it is not. Yes, DPAPI is best used to encrypt sensitive data such as connection string, user logon id and password for impersonation method and other pieces of data that is normally hard-coded in configuration files such as the .Net "web.config" file. In summary, any encryption logics that requires a secret key to protect the decryption of its data illegally can be compromised. But I see no other solution to get away with the secret key storage requirement. As a result, DPAPI is indeed one of excellent tools for storing sensitive data as described above. I like its concepts of Machine Store for web applications and User Store for windows form applications. John
This is possible if ACLs are not set correctly on every folder under every
virtual directory. Or when a hacker manages to exploit a new vulnerability in the OS or system services. Or when a hacker is an internal user who manages to get access to the system or already has access to the system, but is not supposed to know the application secrets... I do not want to get into the long discussion, but what I am trying to say is that if you base your application security on the conditions that the underlying OS and supporting services are unbreakable and system administrators never make mistakes, some day you may encounter an unpleasant surprise. Hopefully you won't, but it cannot be guaranteed, so it is better to implement the strongest feasible security on all levels: processes, hardware, and software. Alek [quoted text, click to view] "WJ" <JohnWebbs@HotMail.Com> wrote in message news:eOuSssaSEHA.2480@TK2MSFTNGP10.phx.gbl... > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message > news:ObT8D1OSEHA.2408@tk2msftngp13.phx.gbl... > > > Machine Store is not safe. If a hacker manages to get the WRITE access to > > any of the folders on a compromised machine, he can drop an application > > there which will decrypt any setting encrypted using DPAPI with machine > > store. > > This is only possible if one uses Microsoft tool such as the "aspnet_setreg" > to store your data in the registry database. This tool is one example that > MS gave, to avoid this "problem", you will almost have to implement your own > DPAPI (modified) to store your key in other places. However that may be, > system administrator is responsible to lock his server(s) to avoid misshaps. > > Cheer > > John > >
[quoted text, click to view] "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message news:ObT8D1OSEHA.2408@tk2msftngp13.phx.gbl... > Machine Store is not safe. If a hacker manages to get the WRITE access to > any of the folders on a compromised machine, he can drop an application > there which will decrypt any setting encrypted using DPAPI with machine > store. This is only possible if one uses Microsoft tool such as the "aspnet_setreg" to store your data in the registry database. This tool is one example that MS gave, to avoid this "problem", you will almost have to implement your own DPAPI (modified) to store your key in other places. However that may be, system administrator is responsible to lock his server(s) to avoid misshaps. Cheer John
[quoted text, click to view]
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message news:OUAeHSbSEHA.240@TK2MSFTNGP11.phx.gbl... > I do not want to get into the long discussion, but what I am trying to say > is that if you base your application security on the conditions that the > underlying OS and supporting services are unbreakable and system > administrators never make mistakes, some day you may encounter an unpleasant > surprise. Hopefully you won't, but it cannot be guaranteed, so it is better > to implement the strongest feasible security on all levels: processes, > hardware, and software. > I do not want to drag this communication too long. But shops paying the security guys 6 figures, they better be "hardened" ones :). John
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |