Secure Coding mailing list archives
Re: Credentials for Application use
From: Dave Aronson <secureCoding2dave () davearonson com>
Date: Thu, 12 May 2005 14:07:25 +0100
"Gizmo" <[EMAIL PROTECTED]> wrote:
I have a similar situation in one of my applications. The customer wishes to secure the database. Since we use a Btrieve database, the only way to do this is be setting an owner name on the DB, and then encrypting using the owner name as the password.
That sure doesn't sound secure to me! Does BTrieve make it easy, difficult, or impossible to see what users own what dbs? Does it make it easy/diff/imposs to see what users exist? Does it have well-defined syntax rules for the usernames, and maybe even a fairly short maximum length? Unless the names can be very long (as in, at least a few dozen chars), with very little restriction on content (as in, case sensitive, and including spaces and punctuation), and BT makes it *impossible* to see what users exist, let alone own what, then the entire "security" there is basically nothing more than one incredibly weak password.
However, once the DB is secured, you can't access it unless you have the owner name, and giving out the owner name to everyone who uses the app to access the DB pretty much defeats the whole purpose of the exercise.
Looks like BTrieve "security" is pretty much useless, except possibly for giving a tiny bit of protection to transmission of the entire db.
The only way <I> can see to deal with this is something similar to what I've done in my app:
You probably don't need to get that fancy. The first question that both I and my wife thought of is, why not migrate to something with more useful security than BT? B-) But seriously, that brings up the very first question usually asked when developing a security strategy. Exactly what threat(s) are you trying to secure it *against*? Who will be doing what, how, maybe why, possibly even when and (from) where?
and the registry.
...which means you're running Windows, which means security isn't really much of a priority after all. B-)/2 -Dave
Current thread:
- Credentials for Application use Mikey (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Gunnar Peterson (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Mikey (May 12)
- RE: Credentials for Application use Gunnar Peterson (May 11)
- <Possible follow-ups>
- RE: Credentials for Application use Goertzel Karen (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use ljknews (May 11)
- Re: Credentials for Application use Dave Aronson (May 12)
- RE: Credentials for Application use Gizmo (May 12)
- Re: Credentials for Application use Dave Aronson (May 13)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Mikey (May 12)
- Re: Credentials for Application use Michael Silk (May 12)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use ljknews (May 12)