security

问题 ALL, At work we have a software written in JAVA. It is operational and works fine. In couple of sources we have a statements like this: import x.y.z There is no source file where we use import x.y.* Recently we had a scan from the Software Assurance team and they found couple of deficiencies. An example would be this: The code is using MD5 encryption algorithm. Our code does not even import a class connected to the MD5 let alone use it. So, my question would be: If I have an import for the

问题 I know that istio supports mTLS for inter-service communication done through istio proxy but I couldn't find any documentation on their official site explaining the state of traffic between istio proxy container & main container itself in a pod ? (assuming it's a kubernetes managed cluster) Is the traffic encrypted between proxy and main containers ? If it's not by default, is there any config or plugin out there that can enable this behaviour ? Appreciate any help on this. 回答1: The traffic

问题 I'm looking for the best practices regarding alternative authentication from our mobile app using fingerprint/touchID/FaceId. We have the following architecture : Database : PostgreSQL Backend : REST API in .net core 2.2 Clients : Angular2 web client A mobile app in Xamarin Forms <--- This is where magic should happens For the moment, our clients authenticate to the REST API using username/password and receive a JWT token. The token is then attached to each secured request to the API. What I

问题 JDK version : 1.8u77 proto3.0.3 version I have tried incorporating SSL into current application. Please find below approaches we have tried. 1) OpenSSL Static approach We have added the io.netty.tcnative-boringssl-static, io.netty.handler and bundles to com.pelco.vms.pelcotools.application.bnd and Tried the below code snippet (added to RPCHandler) : SslContext sslContext = SslContextBuilder.forServer(certificatePemFile, privateKeyPemFile)) .sslProvider(SslProvider.OPENSSL) .build(); server =

问题 I am writing a script in powershell, that will wait for a specific event in Windows 7. Event ID 4776, in the Security Log. The script will run when the computer is locked. The script is supposed to run in idle, essentially a while(true) loop, and it will wait for the "Failed Audit" of the event to occur. Once the event happens, it will add one to a counter. Once the event happens in a "Success Audit" status, it will break from the loop and thus be done with the script. My initial idea, was to

问题 We want to "prevent the inadvertent release or retention of sensitive information (for example, on backup tapes :) )" and plan to use the HTTP header Cache-control: no-store. What are the down-sides of doing so? From the spec, it appears caching will continue to operate - it just cannot use non-volatile storage. In order to choose which responses to specify no-store on, we have some measure of "sensitivity." What is the counterbalancing measure we we should use - in other words, why not mark

问题 Need to avoid the conformation dialog. 回答1: The dialog box a security feature of the keychain. Because it stores sensitive user information, the OS takes the position that the user should always have the option to prevent the use of this information so that the user can trust they're not being used without their knowledge. So no, there's no way to prevent the security dialog box from being shown. You can make your user's life easier if you code sign your application. When you update a signed

问题 In the past many applications have stored Temporary files in the Temp/Tmp directory; either the System's or the user specific ones. Recently though we've had many users in Enterprises where usage of the Temp directories are blocked due to Virus Scanning tools or Host Intrusion Prevention Tools and policies not allowing usage of those locations. I think the fear here is that multiple applications can read and write from that location and so a rogue application could negatively affect another

问题 I am new to PKCS#11 and Common Access Cards but as I understand it, on the card you have the certificates(s) that can be extracted and the private key(s) that can't. I am trying to write an app that communicates with a web server that requires certificates for authentication. The PKCS library provided from the hardware vendor is pretty thin. I can essentially access the certificate object or sign data using the on-card private key. What I am unsure of how I handle the handshake and such when

问题 Is there a general way to prevent azure storage injection. If the query contains a user entered string for example his name. Then it is possible to do some injection like: jan + ' or PartitionKey eq 'kees. This will and up getting an object jan and an object with the partitionKey kees. One option is URLEncoding. In this case ' and " are encoded. And the above injection is not possible anymore. Is this the best option or are there better ones? 回答1: Per my experience, I realize that there is