Seems like an awfull lot of trouble to idenfity if someone changed a file to give themselves access to your applications.
if the data is that sensitive then id imagine you would have a lot of auiding going on to identifiy what authenticated users were viewing / modifiying this sensitive data ? whilst i dont know much about protecting source code from rouge developers / hackers. I would wonder if the expense of keeping databases of checksums against source code really worthwhile ? I was listening to a DNR (www.dotnetrocks.com) podcast the other day on ASP.net (just keeping up with what the evil empire is up to) and the guy there was saying the most frequent attacks to web applications are still SQL injection and cross site scripting. Id be more worried securing these type of threats than against any harm a developer could do. my 2c Pat On 8/1/05, Haikal Saadh <[EMAIL PROTECTED]> wrote: > I'll agree with that. We used to run tripwire on a FreeBSD server during > one of my previous jobs. Of course, Tripwire won't stop people modifying > the in-memory component, but it will alert you if the version on disk > changes. Oh, and you can run tripwire off read-only media, so you don't > have to worry about people changing your tripwire binaries or your > generated hashes. > > Anthony Israel-Davis wrote: > > >Well, it sounds like what you really need is external change detection, > >like Tripwire. As full disclosure, I am a Tripwire employee, so I am > >biased, but there are other products out there that do this sort of > >thing such as snort as well as open source versions of tripwire (see > >sourceforge.net). > > > >The method Nathan suggested would work, but you'd need to know what you > >are hashing is in a known and trusted state (which I think he > >mentioned.) Once you know the file is good you can compare against that > >hash. If an update is made you will need to update that hash if the > >update is "approved" or roll back the code if it is unauthorized. > >Again, there is software out there that does exactly this sort of thing, > >but it's not impossible to roll your own with CF. I think you would want > >to dedicate a separate server instance to doing this sort of > >thing...maybe use the asynch gateway. I doubt you'd want to dedicate the > >overhead in a real time production environment with external users. > > > >Feel free to email me offline if you have specific questions about > >Tripwire, and forgive me if this is somewhat incomprehensible - Oregon > >Brewers Festival is going on and I'm just back from lunch... > > > >Anthony > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > >Behalf Of [EMAIL PROTECTED] > >Sent: Friday, July 29, 2005 12:27 PM > >To: [email protected] > >Subject: [CFCDev] Digesting components > > > > > > > > > > > >Forgive me if this has been asked before. I need to check that a > >component > >has not been altered. I have a security object that authenticates users > >but I want to double check that my object hasn't been tampered. > > > >Lets say my security object resides in server memory. > > > ><cfset server.security = createObject("component","objects.security")> > > > >Before I make the call > >server.security.authenicateUser(username,password) > >I'd like to do something like > > > ><cfif not hash(server.security) = "E3435345CC89AEE62345CC89AE345CC8"> > > <cfthrow "Tampering has been detected"> > ><cfelseif not server.security.authenicateUser(username,password> > > <cfthrow "Username and password are not valid"> > ></cfif> > > > >Obviously hash() won't work and I've been trying to use one of the Java > >message digest calls digest = CreateObject("java", > >"java.security.MessageDigest") but haven't gotten it to work with > >converting the component to something the digest will take. Any > >suggestions > >as to what I could do? > > > > > >Jason Cronk > >[EMAIL PROTECTED] > > > > > > > > > >---------------------------------------------------------- > >You are subscribed to cfcdev. To unsubscribe, send an email to > >[email protected] with the words 'unsubscribe cfcdev' as the subject of > >the email. > > > >CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting > >(www.cfxhosting.com). > > > >CFCDev is supported by New Atlanta, makers of BlueDragon > >http://www.newatlanta.com/products/bluedragon/index.cfm > > > >An archive of the CFCDev list is available at > >www.mail-archive.com/[email protected] > > > > > > > > > > > > > >---------------------------------------------------------- > >You are subscribed to cfcdev. To unsubscribe, send an email to > >[email protected] with the words 'unsubscribe cfcdev' as the subject of the > >email. > > > >CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting > >(www.cfxhosting.com). > > > >CFCDev is supported by New Atlanta, makers of BlueDragon > >http://www.newatlanta.com/products/bluedragon/index.cfm > > > >An archive of the CFCDev list is available at > >www.mail-archive.com/[email protected] > > > > > > > > > > > > > -- > Haikal Saadh, Applications Programmer > Teaching and Learning Support Services > > K405, Queensland University of Technology, Kelvin Grove Campus > > [EMAIL PROTECTED], 3864 8633 > CRICOS No. 00213J > > > > ---------------------------------------------------------- > You are subscribed to cfcdev. To unsubscribe, send an email to > [email protected] with the words 'unsubscribe cfcdev' as the subject of the > email. > > CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting > (www.cfxhosting.com). > > CFCDev is supported by New Atlanta, makers of BlueDragon > http://www.newatlanta.com/products/bluedragon/index.cfm > > An archive of the CFCDev list is available at > www.mail-archive.com/[email protected] > > > ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
