Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [security]

For questions relating to cryptography and IT security. This can be computer, network, or database security.

Computer security is a branch of computer technology known as information security as applied to computers and networks.

For more comprehensive Q&A's, try browsing Information Security Stack Exchange. Questions focused more on general security practices should be brought to attention there.

905 questions
1635
votes
11 answers

Which hashing algorithm is best for uniqueness and speed?

Which hashing algorithm is best for uniqueness and speed? Example (good) uses include hash dictionaries. I know there are things like SHA-256 and such, but these algorithms are designed to be secure, which usually means they are slower than…
Earlz
  • 22,658
  • 7
  • 46
  • 60
134
votes
7 answers

Are private, unguessable URLs equivalent to password-based authentication?

I want to expose a resource on the web. I want to protect this resource: to make sure it is only accessible to certain individuals. I could set up some kind of password-based authentication. For example, I could only allow access to the resource…
GladstoneKeep
  • 2,629
  • 4
  • 19
  • 15
127
votes
4 answers

REST API security Stored token vs JWT vs OAuth

I am still trying to find the best security solution for protecting REST API, because the amount of mobile applications and API is increasing every day. I have tried different ways of authentication, but still has some misunderstandings, so I need…
CROSP
  • 1,548
  • 3
  • 11
  • 17
115
votes
9 answers

How to safeguard a REST API for only trusted mobile applications

How do I make sure my REST API only responds to requests generated by trusted clients, in my case my own mobile applications? I want to prevent unwanted requests coming from other sources. I don't want users to fill in a serial key or whatever, it…
supercell
  • 1,497
  • 3
  • 12
  • 11
109
votes
7 answers

You're hired to fix a small bug for a security-intensive site. Looking at the code, it's filled with security holes. What do you do?

I've been hired by someone to do some small work on a site. It's a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I've noticed it's filled with security holes - read, lots of PHP…
MaiaVictor
  • 5,820
  • 7
  • 27
  • 45
86
votes
7 answers

How can robots beat CAPTCHAs?

I have a website e-mail form. I use a custom CAPTCHA to prevent spam from robots. Despite this, I still get spam. Why? How do robots beat the CAPTCHA? Do they use some kind of advanced OCR or just get the solution from where it is stored? How…
totymedli
  • 1,299
  • 1
  • 13
  • 27
82
votes
17 answers

How can software be protected from piracy?

Why does it seem so easy to pirate today? It just seems a little hard to believe that with all of our technological advances and the billions of dollars spent on engineering the most unbelievable and mind-blowing software, we still have no other…
Snowman
  • 445
  • 1
  • 6
  • 11
74
votes
4 answers

What is the purpose of identifier-first login screens?

Companies like Google and Microsoft use identifier-first screens: where you provide your identifier (like an email) before providing the password. Why is this done, is this somehow more secure? I'm setting up a login with Auth0 and identifier-first…
Tobi Akinyemi
  • 675
  • 4
  • 7
72
votes
9 answers

Why not expose a primary key

In my education I have been told that it is a flawed idea to expose actual primary keys (not only DB keys, but all primary accessors) to the user. I always thought it to be a security problem (because an attacker could attempt to read stuff not…
Angelo Fuchs
  • 1,086
  • 1
  • 8
  • 13
69
votes
3 answers

Role vs Permission Based Access Control

I'm trying to understand the inherent tradeoff between roles and permissions when it comes to access control (authorization). Let's start with a given: in our system, a Permission will be a fine-grained unit of access ("Edit resource X", "Access the…
smeeb
  • 4,820
  • 10
  • 30
  • 49
66
votes
14 answers

Is there any reason not to go directly from client-side Javascript to a database?

Possible Duplicate: Writing Web “server less” applications So, let's say I'm going to build a Stack Exchange clone and I decide to use something like CouchDB as my backend store. If I use their built-in authentication and database-level…
Chris Smith
  • 766
  • 1
  • 5
  • 8
60
votes
16 answers

Why did SQL injection prevention mechanism evolve into the direction of using parameterized queries?

The way I see it, SQL injection attacks can be prevented by: Carefully screening, filtering, encoding input (before insertion into SQL) Using prepared statements / parameterized queries I suppose that there are pros and cons for each, but why did…
Dennis
  • 8,157
  • 5
  • 36
  • 68
56
votes
8 answers

Should a stack trace be in the error message presented to the user?

I've got a bit of an argument at my workplace and I'm trying to figure out who is right, and what is the right thing to do. Context: An intranet web application that our customers use for accounting and other ERP stuff. I'm of the opinion that an…
Vilx-
  • 5,320
  • 4
  • 20
  • 24
50
votes
8 answers

Why almost no webpages hash passwords in the client before submitting (and hashing them again on the server), as to "protect" against password reuse?

There are many sites on the Internet that require login information, and the only way to protect against password reusing is the "promise" that the passwords are hashed on the server, which is not always true. So I wonder, how hard is to make a…
Martín Fixman
  • 618
  • 1
  • 6
  • 7
45
votes
5 answers

SQL sanitizing in code with no user input

In my company's codebase, we hardcode sql queries without using an ORM. Here's an example of a query we would run: UPDATE client SET status="active" WHERE client_id=123 Since the query is hardcoded and the parameters are passed in, the code would…
half of a glazier
  • 577
  • 2
  • 8
1
2 3
60 61