I'm making an asp.net web application which will run locally on IIS
for a single user
I don't want this user to access my application files (in the www root ) or bring another programmer and steal my code
I just want the user to have the ability to access the website only and
stop any programmer from knowing my source code
I heard about an USB security system called "Dongle" but can it be used in a situation like this ?
any Ideas ?
thanks in advance
The website is just running code, but like anything, once the user has it they can do what they like to it, whether you like it or not. That's why there is a multi-million {currency} industry around securing applications.
You could use dongles but they're expensive and not trivial to implement. As #volleyball said, obfuscation would slow down most people from decompiling your app. without odfucation any licensing or dongles could just be patched out of your code.
Your most secure route would be to not give it to them. It's a web app, host it. This may not of course not meet your requirements.
Simon
I have never heard of a web application that uses a dongle. This is normally reserved for regular windows apps; and even then it's falling out of vogue. Generally speaking some of the more expensive software packages still use them.
However, the cost of duplicating a dongle is pretty low. Combined with the fact that getting around such security is relatively easy anyway and you have a situation in which you really shouldn't bother.
As Simon said, if it's a web app host it. Otherwise obfuscate it.
If neither of those are possible, then I'd recommend you change your licensing deal with your client to include the possibility of them going elsewhere. Perhaps for an additional charge you'll give them a non-exclusive site license permitting them to do whatever they want with the code short of selling it or giving it to another entity.
did you look at obfuscators. They do a good job at encrypting code. 99% of the time your code cannot be reverse engineered. But if someone sits on your stolen code they can reverse engineer.. In the sense that ordinary people may not obfuscate it. If the person is very intellingent, he will not reverse engineer he will write better code.
Related
As I heard that there are many things need to be considered before Deploying a Meteor App, However, it's still quite vague. Anyone please give me some opinions about this issue. Thanks
This is probably the wrong forum for this type of question, since it's highly opinionated and not really in the Q&A format, but I'll give you some of my personal opinions.
Where am I hosting my app?
This has a lot to do with what your app is (Web-based app, Android-only), how many users you plan to have, if this is a public app or something private, how much you have to spend, and many other factors. Options include:
Host it yourself - Could be on a VPS (Virtual Private Server, like Digital Ocean and others), some cloud offering (AWS or similar), or a bare-metal server you have hosted somewhere (like in your closet).
Pay for dedicated hosting - Several out there that offer many different features, like Galaxy or Modulus, etc.
If you host it yourself, then you have to maintain the hosting solution, I.E you need to support it all on your own. This may mean provisioning/installing the OS, installing and configuring the server apps (MongoDB, Node.js, web servers, etc), and maintaining everything over time. The benefits, however, are potentially cheaper hosting costs (although this could be debated) and custom setups/architectures. If you are creating an app that should remain private (I.E. not a public app) you may want to consider this option so you can host it internal to the company and not make it public-facing. There are some tools out there that can ease the process of setting up the server, for instance MUP/MUPX.
For dedicated Meteor hosting, the benefit is that someone else does the installation, configuration, and maintenance of the core apps, and all you have to do is push the button to move your code in. These options can be more pricey as they are covering the IT costs of supporting the environment, but they usually come with the benefit that a) You don't have to install all that stuff yourself, b) you don't have to be an expert at all the "plumbing", c) You don't have to hire a staff of people to support your infrastructure, d) These hosting services usually know how to optimize things properly to get better performance for your app.
Do I deploy manually or do I use some tool?
This depends highly on the answer to #1, as your hosting decision may come with it's own set of tools used to deploy (ex. Galaxy), or you may need to shop around for the best tool for you. For manual deploys, I'd suggest looking at MUP/MUPX, which can automate the deployment of your app, even configuring the web server, DB server, and setting up everything as Docker images. Or, if you want to have more control, maybe take a look at something like Grunt or Gulp, which are more build-scripting solutions (similar to ANT/Maven/Gradle are for Java).
Do I expect a fast growth, or a slow trickle?
Again, this has a lot to do with where you plan to host. Lots of cloud services make it easy to grow/shrink your cluster of servers based on load, but this takes a LOT of configuration past just installing an OS. VPS and bare-metal solutions will be the hardest to expand. Dedicated hosting will depend on the provider.
You need to serious need to think about how you might handle a fast-growth situation, even if you don't think your app will take off. The internet is riddled with apps that failed because they didn't think they would be as successful as they were. It only takes one mention on something like Reddit, Y Combinator, or Product Hunt for your app to get a sudden and unexpected rush of traffic that takes down the server(s). If you know your growth will be controlled in some way, like if you have a private app with a pre-set number of users, then you might not need to worry about it.
Do I need to monitor my app?
The answer to this is always "Yes", but to what extent? Do you need to provide 24x7 uptime? Would an outage cost you lots of money, make you loose your biggest client, etc? Can the users live without service for a little while if it goes down, or would I loose face and customers? Depending on how serious you need to be, you should consider some sort of monitoring of your infrastructure and app. Again, there are LOTS of options here, and your decision might be swayed quite a bit by the answer to the first question.
I am sure there are other questions, but these are the biggest I could come up with.
I've seen several questions on SO about this, but none of them quite fit what i'm looking for. I've got an ASP.NET Site on my machine that i recently finished, but i'm a little worried about Security. I'm pretty sure I've managed it pretty well, but there's always an offchance i've missed something.
So, I'm looking for a tool that meets the following reqs
Scans a locally hosted (as in, on the same machine as the tool) website for vulnerabilities
Can be installed (i.e, no web based stuff)
(elaborating on #1)... tests ASP.NET (Web Forms, but MVC would be nice too) for SQL or XSS problems. (I figure XSS is hard to test, but SQL injection should be easier to find)
Thanks! Lemme know if i'm not specific enough or if this is better suited for Webmasters SE.
There are a few scanning tools around, some of which are open source, which is nice. The exploits you are talking about are technology agnostic - any app could suffer from them regardless of whether it's .net, java, ruby, etc. This makes testing for them slightly easier. Also, SQL injection and XSS bugs are usually application specific, which makes automagically testing for them harder.
The best thing you can do is not be worried about security, but take specific steps to address issues. Security should always be designed into your application. So carry out a code review on your app. Look for specific things.
Do you have any in-line SQL? Do you modify it any way? Are you using parameters?
Are you escaping any user input before you use it?
The above 2 steps will eliminate most SQL injection/XSS bugs. There are other issues to do with your server setup. Vulnerability scanning tools usually know most of these and can test for them.
I know it may sound silly, but i worked for a client that seems not willing to pay me, but is making money with his website...i still have access to the ftp...so, i'm not going to tear down the website if he doesnt pay, but i would at least protect my code that i gave him...so in case i'm sure that he cant resell or use again...
http://www.zend.com/en/products/guard/
If you code for your client in PHP, this will prevent reverse engineering, and you can set the application to expire after a certain amount of time. There are numerous other licensing options available.
I think you have a deeper problem though, you should really talk to your client or get a third-party mediator to resolve this. At the very least, you should receive a deposit. Contracts will also give you some legal leverage, so you should have signed one before you started work.
what form is your code? html? js? java? c#? you can obfuscate js, for java (or .jar file) you can use the strip/pack tools as detailed here.
in general, obfuscation seems to be pretty effective for all of them (even html, if the bulk of it is generated through scripts :p )
Consider the next poor guy that your client recruits to manage that code... And consider the ramifications - because his impression of you will be based on that code!
If your code is written in ASP.NET, you should obfuscate it (Visual Studio comes with the community edition of Obfuscator), but there're probably better obfuscatation tools than that one.
On a side note, I got my code and last payment actually stolen by a client (the binaries not the code itself, but he managed to disassemble the code with help from a developer. Unfortunately it's too easy with .NET). This is one case where I really regret not obfuscating the code.
First, don't do anything that could be taken as a malicious attack against your client. Messing with their FTP after they have ceased communication could land you in hot water.
Second, if they haven't yet given you a cent for your work then AFAIK you still own the full rights to that work. (i.e. the copyrights on the code etc. you provided) If they use your code, without a license and without paying then they are committing copyright infringement.
This is all legalese, but I'm not a lawyer. Talk to an attorney before acting on copyright.
We need to increase our knowledge on deployment of ASP.NET Web sites/Web App. We are getting increasingly bigger and more traffic and need a more professional approach. Not too mention, we are also moving up to multiple database/multiple back end/ multiple front end server deployments and we just don't want to screw it up.
What type of skills should we be looking for and is there a typical title people with these skills use?
Thanks,
Actually, We have most of the talents the two answers mention, what we are looking for is I guess what Dave calls the web server guru. I simply want someone to handle the deployment aspect. The developers we have need to be working on their end of it not trying to figure out dpeloyment best practices. Also, we may end up with multiple projects and teams and I don't think each team having a seperate person rolling their own solutions would be as good as 1 dedicated resource for all the teams.
If you're looking to take an ASP.NET application to the next level, you need the development talent.
At least four years of intensive ASP.NET development experience.
A current certification to go with the experience would be good, but don't take the cert over the experience.
Find someone familiar with the techniques used in your app- if it's a Webforms app, don't go looking for an MVC wizard unless he/she also has the Webforms chops, etc.
It sounds like you may be handling the hosting yourself. If this is the case, you may also need to either hire a webserver guru or look into managed hosting. Don't be snookered into thinking you can get your dev to care and feed the hosting environment, it's too much work for one person.
Sounds like you will need at least three people, as the skills may not typically be what one person can do.
You may need a database administrator, to ensure that your multiple databases stay in sync, or backed up properly and configured correctly.
You will need a sysadmin to set up the multiple webservers and to ensure that all the hardware and infrastructure is configured properly.
And, you will need .NET developer that knows ASP.NET as well as the database layer.
If you were hosted then the first two you don't need as your hosting site would be responsible.
If you went with cloud computing then the same, you don't need the first two.
But, regardless, sounds like you need the third.
For the developer, you need to be careful about what skills you need, for example, C# for 4 yrs, ASP.NET for 2yrs, if you need javascript or css then specify that. If you are using any particular libraries then specify that.
I recently joined a firm and when analyzing their environment I noticed that the SharePoint web.config had the trust level set to Full. I know this is an absolutely terrible practice and was hoping the stackoverflow community could help me outline the flaws in this decision.
Oh, it appears this decision was made to allow the developers to deploy dlls to the Bin folder without creating CAS policies. Sigh.
Just want to clarify and make matters worse, we are also deploying third party code to this web application.
Todd,
The book, "Programming Microsoft ASP.Net 3.5", by Dino Espisito provides some sound reasoning for not allowing Full Trust in ASP.Net applications.
Among other reasons, Dino states that web applications exposed to the internet are "one of the most hostile environments for computer security you can imagine." And:
a publicly exposed fully trusted
application is a potential platform
for hackers to launch attacks. The
less an application is trusted, the
more secure that application happens
to be.
I'm surprised the StackOverflow community did not outline the problem with Full Trust better. I was hoping for the same thing so I didn't have to go digging through my pile of books to find the answer, lazy me.
If they're ignoring the CAS policies, it might be a tough sell to get them to dial it back, since it makes their job a little harder (or, at least, a little less forgiving). Changing security practices is always tough - like when I had to convince my boss that using the SA accounts in the SQL connection string of our web applications was a bad idea - but hang in there.
Full Trust allows the application to escalate to control of any resource on the computer. While you'd have to have a security flaw in your application to allow these, and they'll probably claim that they've prevented any escalations through astute programming, remind them that in the case that something happens, wouldn't they rather the web application didn't have control of the whole computer? I mean, just in case?
EDIT: I was a little overzealous with my language here. Full Trust would allow the application to control whatever it wants, but only if the Application Pool process has sufficient rights to do it. So if you're running as a limited user with no rights on the server except what the applicaition needs, then I suppose there's essentially no risk to "Full Trust". The reality is that the app pool owner most likely has a number of rights you wouldn't want your app to have (and in some cases, many, many more), so it's much safer to limit app security and grant additional rights needs individually to the application. Thanks for the correction, Barry.
Flaws? Many. But the most damning thing is straight out of the CAS utility:
"...it allows full access to your computer's resources such as the file system or network access, potentially operating outside the control of the security system."
That means, code granted Full Trust can execute any other piece of code (managed or otherwise) on the system, can call across the network to any machine, can do anything in the file system (including changing permissions on restricted files - even OS files).
Most web programmers would say "that's not a problem, it's just my code," which is fine.... until a security flaw crops up in their code that allows an attacker to use it to do unsavoury things. Then previously-granted Full Trust becomes quite unfortunate.
I honestly have found sharepoint to be too restrictive.
Take a look at the following page to see what can and cannot be done based on trust levels
http://msdn.microsoft.com/en-us/library/ms916855.aspx
One problem I ran into immediately was I could not use the Caching Application Block. We were using this application block instead of the ASP.NET caching because we had used an MVP pattern and may open up a win forms application.
Another problem is no reflection, this caused the About page to fail because the version number is pulled from the metadata of the assembly.
I think the best solution is to not use Sharepoint as an application host. I would only use Sharepoint as an application host if the amount of coding was so small that it didn't affect the trust level and it would be less work then setting up a new application. If you are doing some type of coding which is starting to hit the walls of the trust level, move your application into a proper ASP.NET enviroment. But that is just me, and I am biased. Maybe you should try to aim for a Medium trust level compromise.
I use full trust on my development machines.. so I can deploy to the BIN when building new code.
I trust my own code and run it in the GAC on production because creating CAS policies is a pain.
The third party thing would have me worried.. however:
Most 3rd party solutions found on the web also deploy to the GAC (assuming for the same reasons). This gives them all rights regardless of trust level.
Feels like it has more to do with if you trust the 3rd parties or not.. and do you really trust your own developers?
What would a hacker do?
The scenario where a hacker drops an evil dll in your BIN folder I don't see as very realistic.. regardless if he can do that he can also probably change the trust level.