Basics of software security: Confidentiality

This post belongs to a small series about the seven key software security goals. It doesn’t apply only to software security, but security in general. Traditionally there are six elements on this list: Authentication, Authorization, Confidentiality, Integrity, Accountability and Availability. DASWANI, KERN and KESAVAN mentions a very interesting seventh goal: Non-repudiation.

Confidentiality

To guarantee that data remain private and confidential, and can’t be accessed by unauthorized agents, is to ensure Confidentiality. The goal is to keep temporary and persistent data in secret. Confidentiality is a concept that can be applied in several levels of data-flow throughout the business processes.

Cryptography is one of the most common ways to achieve some acceptable level of confidentiality. To protect corporate data, one can apply cryptography in the network data transfer processes, to avoid data getting caught by an eavesdropper. Encryption can also be used to guarantee data confidentiality on data storage servers. If data is intercepted either during network flow or by stolen storage, confidentiality can still be maintained if cryptography is strong enough and the interceptor can’t understand the data contents.

References

Neil DASWANI, Christoph KERN and Anita KESAVAN: Foundations of security: what every programmer needs to know.

J. D. MEIER et al:  Improving Web Application Security – Threats and Countermeasures.

ANDRESS, Jason. The basics of information security.

| ,

Maven: auto install project to local repository with source jar

This script is useful if you want your maven project quickly installed into your local repository, with sources (very useful for code/javadoc browsing in IDEs such as Eclipse).

If you are not using any plugin to automatically do it for you, the normal steps are to: 1) go to the base dir of your project (where the pom.xml is located) 2) build and generate sources 3) run a mvn install:install-file with -Dclassifier=sources attributes, also specifying artifact names and the new version. A bit painful to do it by hand every time you increment your project’s version.

The script

#!/bin/bash
# Copyright (c) 2014, bluefoot.dev@gmail.com
#
# Installs a maven project into the local repository, will also install sources.
# Must have a pom.xml in the current directory that represents a single project.
#
# TODO: support three parameters: version, groupid, artifacts. if present, will not auto detect but use what the user provided.
#

function install {
    if [ -f "pom.xml" ]
    then
        version=`xpath pom.xml '/project/version/text()' 2> /dev/null`
        groupid=`xpath pom.xml '/project/groupId/text()' 2> /dev/null`
        artifactid=`xpath pom.xml '/project/artifactId/text()' 2> /dev/null`
        echo "[SCRIPT INFO] detected version=$version, groupid=$groupid, artifactid=$artifactid"
        if [ -n "$version" ] && [ -n "$groupid" ] && [ -n "$artifactid" ] ; then
            echo "[SCRIPT INFO] installing..."
            mvn clean install;
            echo "[SCRIPT INFO] generating sources..."
            mvn source:jar
            echo "[SCRIPT INFO] installing sources..."
            mvn install:install-file -DgroupId=$groupid -DartifactId=$artifactid
                        -Dversion=$version -Dfile=./target/$artifactid-$version-sources.jar
                        -Dpackaging=jar -Dclassifier=sources;
            echo "[SCRIPT INFO] done"
        else
            echo "[SCRIPT ERROR] some information from pom.xml could not be detected"
            exit 1
        fi
    else
        echo "[SCRIPT ERROR] no pom.xml found in current directory"
        exit 1
    fi
}

install

How to use it

Save it to, lets say, “mvnsourceinstall“, in your path (e.g. /usr/bin/mvnsourceinstall) and add execution attributes.

All you have to to now is cd to your project and type mvnsourceinstall. Keep in mind that this currently only works for pom.xml files containing a single project. This can be easily improved to accommodate multiple-projects. Another good improvement is to add support for generate and install javadocs. For me, source is good enough.

| , , , ,

Basics of software security: Authorization

This is the second post of a small series about the seven key software security goals. It doesn’t apply only to software security, but security in general. Traditionally there are six elements on this list: Authentication, Authorization, Confidentiality, Integrity, Accountability and Availability. DASWANI, KERN and KESAVAN mentions a very interesting seventh goal: Non-repudiation.

Authorization

Authorization is about checking if someone is able to perform an operation on a resource. In other words, after we know who the user is (authentication), we need to know if it has permission to do what it wants to do.

Usually the concept of resource is tied to the authorization process: the user is trying to perform an operation on a resource, it could be reading the resource, it could be modifying it, etc. Normally the user is also tied to one or more roles (e.g. admin, normal user), so, instead of checking if the user is authorized to perform an operation, we check if its role is authorized.

Let us draw this concept in an example: let’s say Mr. Daario works as a seller in a department store. He has a user and password on this store’s inventory system. After logging into the system, he tries to create a promotion for a product, but the system denies it, saying that Daario can’t create promotions. This means Daario was successfully authenticated to the system, but he wasn’t authorized to add a promotion. Daario can check what are the current active promotions though. Now, lets say Mr. Barristan is a manager on this store. He, after typing correctly his user and password into the system, can successfully add new promotions. He can also visualize existing promotions and even suspend a promotion if he feels like. What we can tell from this example is that the role seller can only visualize promotions, and the role manager can create and suspend promotions, in addition to visualize them.

Sometimes is not required for a user to be authenticated, so an anonymous or guest role is given to this user. Usually these are very limited roles – since anyone can have it – but it fits very well is some situations. For example, to visit a webpage, you don’t need to create a new user account; so is given to you a guest role, which allows you to see this webpage, except the sections that require a more privileged authority. Furthermore, the guest role could be the only one authorized to see ads on the page, this would stimulate guests to register an account and get a “basic user” role, which would not be authorized to see ads.

References

Neil DASWANI, Christoph KERN and Anita KESAVAN: Foundations of security: what every programmer needs to know.

J. D. MEIER et al:  Improving Web Application Security – Threats and Countermeasures.

| ,