Archives
-
SQL Injection Threat On The Rise
I've been following the rise of SQL Injection attacks because I'm busy protecting a vulnerable web application. I'm very critical of the lack of attention this is getting in the developer community. In my opinion, if web developers were really communicating and collaborating with each other there would be a lot of chatter about this problem. I'm sure there are many programmers being kept busy dealing with the aftermath of these attacks but they are probably all implementing their own quirky solutions in isolation without the benefit of community feedback. And it is the lack of community which created the problem. There is no peer pressure to think about security or exchange of ideas on how best to protect a site against SQL Injection attacks (a topic that can generate a lot of debate). And without any discussion about the SQL Injection attack many developers are going to remain ignorant about it. There is however some ridicule about a lame attempt to protect against SQL Injection to be found on The Daily WTF. It is worthwhile to read through the comments.
-
What Are You Working On?
I've been very busy so instead of blogging about one specific thing I have a lot of minor stuff to report.
-
ASP.NET Cryptography Insecurities
I've found a serious shortcoming in one of the security methods I've been using. I've inherited two projects in which social security numbers were stored in a database in an unencrypted format. For the web application I don't think the SQL Server 2005 built-in encryption methods are an option because the web hosting company is still using SQL Server 2000. Instead, I used the .NET Framework's built-in cryptography classes found in the System.Security.Cryptography namespace. I used the Rijndael (aka Advanced Encryption Standard (AES)) cipher in a custom assembly which I uploaded to the web server's bin directory without the source code. This encryption method relies on a 128 bit key and an initialization vector (IV) which are basically just byte arrays of 16 numbers.
-
Access Provider With LoginAdapter Conflict
Today I discovered that you cannot use the LoginAdapter from the CSS Friendly Adapters with the Sample Access Providers. I am using an Access database for my Membership Provider because I only needed a login form for my administration directory and did not want to go to the trouble of adding the Security, Membership, and Role Management schema to my SQL Server database.