Secure Coding mailing list archives

Re: Credentials for Application use

From: Dave Aronson <secureCoding2dave () davearonson com>
Date: Thu, 12 May 2005 14:07:25 +0100

"Gizmo" <[EMAIL PROTECTED]> wrote:

I have a similar situation in one of my applications.  The
customer wishes to secure the database.  Since we use a Btrieve
database, the only way to do
this is be setting an owner name on the DB, and then
encrypting using the owner name as the password.


That sure doesn't sound secure to me!  Does BTrieve make it easy, 
difficult, or impossible to see what users own what dbs?  Does it make 
it easy/diff/imposs to see what users exist?  Does it have well-defined 
syntax rules for the usernames, and maybe even a fairly short maximum 
length?  Unless the names can be very long (as in, at least a few dozen 
chars), with very little restriction on content (as in, case sensitive, 
and including spaces and punctuation), and BT makes it *impossible* to 
see what users exist, let alone own what, then the entire "security" 
there is basically nothing more than one incredibly weak password.

However, once the DB is secured, you can't
access it unless you have the owner name, and giving out the
owner name to everyone who uses the app to access the DB pretty much
defeats the whole purpose of the exercise.


Looks like BTrieve "security" is pretty much useless, except possibly for 
giving a tiny bit of protection to transmission of the entire db.

The only way <I> can see to deal with this is something
similar to what I've done in my app:


You probably don't need to get that fancy.  The first question that both 
I and my wife thought of is, why not migrate to something with more 
useful security than BT?  B-)

But seriously, that brings up the very first question usually asked when 
developing a security strategy.  Exactly what threat(s) are you trying 
to secure it *against*?  Who will be doing what, how, maybe why, 
possibly even when and (from) where?

and the registry.


...which means you're running Windows, which means security isn't really 
much of a priority after all.  B-)/2

-Dave

Current thread:

Credentials for Application use Mikey (May 11)
- RE: Credentials for Application use Gizmo (May 11)
  - RE: Credentials for Application use Gunnar Peterson (May 11)
    - RE: Credentials for Application use Gizmo (May 11)
    - RE: Credentials for Application use Mikey (May 12)
- <Possible follow-ups>
- RE: Credentials for Application use Goertzel Karen (May 11)
  - RE: Credentials for Application use Gizmo (May 11)
    - RE: Credentials for Application use ljknews (May 11)
    - Re: Credentials for Application use Dave Aronson (May 12)
    - RE: Credentials for Application use Gizmo (May 12)
    - Re: Credentials for Application use Dave Aronson (May 13)
    - RE: Credentials for Application use Mikey (May 12)
    - Re: Credentials for Application use Michael Silk (May 12)
  - RE: Credentials for Application use ljknews (May 11)
- RE: Credentials for Application use Goertzel Karen (May 12)
  - RE: Credentials for Application use ljknews (May 12)