AppSec Blog: Category - encryption

AppSec Blog:

ASP.NET MVC: Secure Data Storage

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe. In this post, Taras will review secure data storage in the ASP.NET MVC framework.

Secure Logging
The system should not log any sensitive data (e.g. PCI, PHI, PII) into unprotected log storage. Let's look at an example from a healthcare application. The following snippet shows when the application was not able to successfully store the updates to a particular patient. In this case, the logger is writing the patient's name and other PHI information to an unprotected log file.

log.Info("Save failed for user: " + user.SSN + "," + user.Prescription);

Instead, the application can write the surrogate key (i.e. ID of the patient's record) to the log file, which can be used to lookup the patient's information.

log.Info("Save failed for user: " + user.Identifer);


Cloud Encryption Options - Good for Compliance, Not Great for Security

Guest Editor: Today's post is from David Hazar. David is a security engineer focusing on cloud security architecture, application security, and security training. In this post, David will take a look at the encryption options for applications hosted in the cloud.

Over the last decade, due to new compliance requirements or contractual obligations, many, if not most, companies have been implementing encryption to better protect the sensitive data they are storing and to avoid having to report a breach if an employee loses a laptop or if backup media is lost in the mail. One of the more popular ways of adding this additional protection is to implement some form of volume-based, container-based, or whole-disk encryption. It would be difficult to argue that there is an easier, more cost-effective method to achieve compliance than to utilize this type of encryption. Also, although there are potential weaknesses to some implementations of the technology, it is pretty


Ask the Expert - Johannes Ullrich

Johannes Ullrich is the Chief Research Officer for the SANS Institute, where he is responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida.

1. There have been so many reports of passwords being stolen lately. What is going on? Is the password system that everyone is using broken?

Passwords are broken. A password is supposed to be a secret you share with a site to authenticate yourself. In order for this to work, the secret may only be known to you and that particular site. This is no longer true if you use the same password with more than one site. Also, the password has to be hard to guess but easy to remember. It is virtually impossible to come up with numerous hard to guess but easy to remember


ASP.NET Padding Oracle Vulnerability

A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software.

Source: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

This vulnerability illustrates a couple of important lessons that all developers should take note of:

  • Doing cryptography correctly is challenging

  • Don't store sensitive information on the client

They've fixed the first issue with an out of bandpatch which means Microsoft took this vulnerability as a very real and serious threat to ...

Top 25 Series - Rank 20 - Download of Code Without Integrity Check

Checking the integrity of code you download is important and has to be done not just for the initial download, but for updates as well. We will discuss the options to implement integrity checks correctly.