Collaborate Disseminate
I’m thinking about migrating to Fedora, but I’m not a big fan of Gnome3 so I’m thinking about using their Cinnamon spin. I’ve read in the past arguments whether or not Linux Mint is as secure as other distros, so I had a ques… Continue reading Do Linux desktop environments add security risks?
Microsoft is said to be launching a new Surface, codenamed Cardinal. The new device will be a one-box desktop PC—i.e., an all-in-one (AiO), as popularlized by Apple’s iMac. The avian-themed rumor seems credible and well-sourced. And an October hardware event would fit with Microsoft’s previous form. But beyond that, everything is mere speculation. None of which stops us from some amusing Friday musing…
The post Will Microsoft Launch a Surface All-In-One Desktop Next Month? Sources say… appeared first on Petri.
Continue reading Will Microsoft Launch a Surface All-In-One Desktop Next Month? Sources say…
Does WhatsApp use certificate pinning? I found a post by Preatorian Security from February 2014 that points the lack of certificate pinning as a major security problem, and mentions:
Update 02/21/2014: WhatsApp is activel… Continue reading Does WhatsApp use certificate pinning?
When using Join Me, can a file on a desktop be stolen by those viewing? I was using Join Me and another person was communicating with me to set up log in and access to My Vault, when I noticed a folder went missing from my desktop for abo… Continue reading Can someone using (the Join Me) screen sharing software use it to access my PC’s files?
Our company develops Windows desktop applications. We offer off the shelf solutions – not custom development. A potential new customer wants to add a section to our standard contract that requires us to use an “Application Scanning” Tool. They specifically mention IBM’s AppScan. However that tool seems to be for web applications, not desktop applications.
Our applications are developed using Delphi (from Embarcadero formerly Borland a long time ago). We are a small two developer shop. While I can understand the why a customer would want something like this in a contract, I’m not sure how I can really accomplish this.
Are there other “industry standard tools” as their contract language seems to indicate?
Is this becoming common practice among ISVs?
Are there any guidelines for ISVs for complying with these type of security review requirements? I know there are a number of sites for safe coding practices (verify user input, buffer overflows, SQL injection, etc.) but I have never seen anything that discusses putting together a security review that would convince a end user that the programmer did their job correctly.
Here is what they want added to the contract:
x.x Software Security Review And Testing. A security scanning process
will be performed on the application components for each production
release of the Software licensed by Licensee pursuant to this
Agreement prior to making available a major release of such
components. Such security scanning will be performed by Licensor
using IBM’s AppScan application scanning tool or an alternative,
industry standard tool (“Application Scanning”). Vendor will also
perform manual penetration testing (“Penetration Testing”) for each
major release of the core product(s). Vendor will conduct Application
Scanning on each application component as set forth in the applicable
Schedule under the Agreement a minimum of one (1) time per year.
Vendor will provide to and review with Licensee a report of the
results of Vendor’s most recent Application Scanning and Penetration
Testing for the AgWare Software.
The application itself is a standard windows application. It can connect to either an Access Database or a SQL Server database for it’s data storage. Users worried about security will obviously be using SQL Server. There is no middle tier – I connect directly from the application to the SQL Server. The connection is made using a trusted connection and all data access is via stored procedures.
I can understand running some type of security scanner on the SQL Database. i.e. something that would verify a table was not left with wide open access. It is interesting that the database was not addressed in the contract.
I can probably press the issue and say that AppScan cannot be run on desktop applications and get them to remove the section from the contract. Seeing it though made me wonder if any desktop application developers are running any type of scanner on their software.
Can anyone explain (or provide a link to a simple explanation) of what the Windows “Secure Desktop” mode is and how it works?
I just heard about it in the KeePass documentation (KeePass – Enter Master Key on a Secure Desktop) and would li… Continue reading How does the Windows "Secure Desktop" mode work?