Currently I'm creating an open source project and I want people to participate in creating the backend code, a simple API. May sound newbie, but ive been told that I should never make public my backend code, for security reasons. Then how can people collaborate making the API if they can't make it public. They should secretly send me the code or there's no security issues by doing so.
Thank you very much.
No, it is not a security issue itself. There are lots of good well-secure open source backends and libs to write backends are published in open public repositories.
And the opposite, if you deploy non-secure backend (i.e. with bugs, old exploited libs, etc.), even the privacy of your source code will not help you. Public source code will make it faster to break into, but it does not make it less secure comparing with the private code.
Related
We are creating a Web component that will be available via a self-hosted CDN in Europe.
The idea is to make it as easy as possible for developers to integrate the Web component in a Website.
One of those ways is to publish it on npm.
The question now is:
Since the project underlies very strict Data privacy requirements:
Could one make the case that npm is unsafe from the perspective of data privacy?
In other words: Does the act of publishing an npm package cause a data privacy issue for the consuming developer or more specifically Enduser using the Webcomponent in the browser?
Of course, this question excludes issues with the Web Component itself, since they can cause an issue on their own. I am only interested in hosting a package on npm.
Upon some investigating: I am from Germany and data privacy and data protection seem to translate to the same word (Datenschutz). So in this question both is meant.
I would not use StackOverflow to seek advice on complying with data privacy laws or regulations. I am not a lawyer and I doubt very many people on here are. That said, there are some generalities that can be made that may or may not apply to your specific case. Again, I am not a lawyer, and this is not legal advice.
I'm not sure if you are talking about the public npm registry or a private one.
In terms of data privacy, publishing your code to the public npm registry isn't much different from publishing it to GitHub or to a blog. If the code, examples, documentation, and various configuration files do not contain sensitive data, publishing them to the public npm registry won't create issues. If one or more files that you publish do contain sensitive data, then publishing them to the npm registry will pose similar risks to posting them to GitHub or a blog.
If you are using a private npm registry, things might be a lot more complicated and I would not trust an answer on StackOverflow. Get your data security folks talking to your developers and the people who are doing the registry hosting.
I have a usecase where I need to be able to inspect Git repositories as part of a web service and the average repo size will be very large - 1GB+ due to being used for video game projects. I need to do simple actions such as listing the revision history, etc.
Right now I'm implementing it via API calls to the remote Git host services (Github, Bitbucket, etc). This works okay, however there are some great Git projects like GitVersion that only work with real Git repos, that use libGit2sharp, and I cannot easily write a work around for.
I feel like this'll be a longshot, but I was wondering if anyone has discussed or begun work upon an implementation of libGit2sharp that works with the major Git hosts via their API's. Obviously not all actions available in libGit2 will work with an API interface, but at least most read-only actions should be.
If this is an entirely new feature request - I'd like to get the opinion of someone with knowledge of the libGit2sharp codebase about how difficult such a feature request would be to implement.
Git only specifies the network protocol for fetching, pushing and creating an archive. Nothing else can be done via the Git protocol (and providers will likely disable the archive so they can leverage their existing caching solutions).
If this is an entirely new feature request - I'd like to get the opinion of someone with knowledge of the libGit2sharp codebase about how difficult such a feature request would be to implement.
This feature would be out of scope and impossible as Git does not provide a way to perform these tasks.
Once you're trying not to do Git, then you're out of the Git world into each provider's API. Trying to replicate Git operations and git commands on top of each provider's API is a whole project unto itself, and one which is likely to get you to hit these provider's API limits, as in-depth analysis of the repositories is not generally why they provide these services.
Not to mention that looking up each necessary object over HTTP would be extremely slow and you'd likely not gain anything over grabbing a Gigabyte or two from the network.
But if all you need is a few questions that can be easily answered from the APIs themselves (say, latest commit and its relationship to different branches), and you do need the logic in GitVersion, then you're probably better off making its history analysis pluggable so you can put in the data from your API lookups.
I'm not familiar with how GitVersion makes its decisions, but if it doesn't just want references and their relationships to each other and the tags, but rather it wants to look at the repositories themselves, and you do need it rather than just replicate some of its logic, I would recommend to download the repositories and perform all the analysis there. It'll be a much more efficient use of time to rent a bit of disk space from some provider than try to fit each individual provider's API into some idealised version of a git command where you then still need to figure out the edge cases of both the command and its API you're using.
Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx
Background:
One of my clients' websites has become a malware infested hotbed.
Disposing of the malware has proven difficult and time consuming, and, in the meantime, we still have had to do work on the site.
For now, we went to some trouble to do our work - creating a disposable VM to just run a web browser, so we can see what the site looks like for the designers' work, for example.
I'm wondering if there's an easier (and faster) way to get an idea what the design of the site looks like. Not everyone on the project is tech savvy enough to be trusted with, for example, properly handling switching VMs.
Question:
Is there a method for safely seeing what a malware infested website looks like (for example, a service which will browse the site for me and send a screenshot), one which ideally is easy and simple enough to use that I can trust our non-tech-savvy designers to user?
You might take at look at Internet Archive: Wayback Machine to see if the site has been archived.
If a screenshot is all you need, there are several online browser simulators, such as Net Renderer (which will run any inputted web URL in a given version of Internet Explorer and then supply a screenshot). You might also try BrowserStack, which requires an account, and is not free, but does have a free trial period, and offers more than Internet Exploder.
You could also try running a browser in Sandboxie, which is simpler to set up and use than a VM (you just install it, and then use the windows right-click menu to launch any program in a sandbox of your choosing). However, it isn't free for commercial use.
I don't know if exist a standalone tool to parse a website for malwares, but I think this can help you, it's a google tool that you can you with a request and they will send you a response.
Follow the link:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328
Hope it helped.
I know you use the C based networking API to do FTP communication but I'd prefer to use something a little higher level. I've seen a few Objective-C based wrappers but I'm not sure what to use. I don't need that complex of FTP interaction. Its just the typical create/delete dirs, upload/download files... What do you recommend?
Edit:
Here is one that looks promising but I can't get it to compile for the iPhone SDK
The ConnectionKit
This may help, but you may reconsider design for reasons stated by bbum:
http://code.google.com/p/s7ftprequest/
The reason why you can't find much in the way of useful FTP client software is because FTP isn't used much any more and is generally actively discouraged from use.
Without great care, it is quite easy to create big old security holes when using FTP (when I ran a consulting company, the 3 times we had infected machines were all because of FTP server security holes or exploits -- one time, the damned HP copier's FTP server was the attack vector!).
FTP is also inefficient unless carefully configured.
I would encourage you to use an HTTP based protocol. WebDAV allows you to do basically anything FTP can do, but does so over an HTTP channel. Thus, it'll work through proxies and the like. Heck -- HTTP has become so ubiquitous that pretty much everything works with HTTP.
And, of course, there are plenty of good HTTP client APIs built for Objective-C.
Obviously, if FTP is a requirement for your project, this answer won't help you much....
After not finding anything that works well I decided I'd go ahead and follow Apple's tutorial on how to do FTP. It sure is a PITA but at least it does work. I'm defiantly going to support WebDAV in the first revision my app, and eventually perhaps some other transfer methods later on. I think I'm going to consider releasing this open source after I get FTP & WebDAV working good, since there is no reason why you should have to do this much low level work to do such a basic and ambiguous task as FTP these days.
I've implemented FTP file download and upload, directory create and directory list download through the regular FTP possibilities in the iPhone SDK. Note: you'd be passing the login name and password as part of every FTP request unsecured. Apparently no apparent connection to the FTP server is maintained at the app level, like with a real FTP client app, that I haven't been able to find for iPhone yet. If you're interested in the source code please let me know through e-mail.
GoldRaccoon isn't mentioned and can be found on GitHub. I use that library and it works very well (besides it didn't support FTP rename)