Viewing a web page on a web browser has revolutionized the way information is shared, and is one of the most successful examples of the benefits of sustained investment and the commitment to research. Unfortunately, the power of the web is also its greatest downfall. The liberty of publishing your content, with hardly any prerequisites, makes people vulnerable to the designs of certain extremely gifted individuals trying to phish confidential information out of your interactions with the system.

There is a case for users to be more careful while sharing sensitive information on the web. But, the responsibility of protecting its users lies solely with the entity (individual or organization) that publishes the application on the web. With organizational reputations on the line, companies have invested millions into building applications that are safe for users and themselves. The stakes are high!

As a web application developer it is extremely important to make sure that your application is not susceptible to any known or unknown threats posed by systems or humans. In this series of articles, we will analyze some of the common vulnerabilities infecting the world of web applications and application code. We will try to enforce the fact that web application security is much more than just using SSL. SSL can only protect the confidentiality and integrity of data moving back and forth between the client and the server. It does not protect against attacks that are targeted directly at either server or client – and that is where we will focus our attention.

We will kick off our series with a basic but crucial problem – Injection.

Injection

In simple terms, an injection flaw is something that allows an attacker to insert and execute malicious or unintended code within your application. Depending on the system different types of injections may be performed. The two common flaws are at SQL or OS (operating system) level.

Here is an example. Assume we have a customer table with an ID column for storing the details of the customer. The HTTP request for this page looks something like this:

http://<yourcompany>/<yourapp>/getDetails?customer=1111

In the workflow, our code for fetching the details of the customer looks something like this:

String customerId = request.getParameter(“customer”);

String query = “select name, other_details_from_customer_table from customer where ID = ‘“ + customerId + “’”;

This is followed by the code to execute the query, fetch and return the data back to the browser. Once the attacker has access to the request URL of the page, it will be pretty easy for him to modify the parameters and resend the request back to the server. Assume the request is modified to look something like this:

http://<yourcompany>/<yourapp>/getDetails?customer=’ or ‘1’=’ 1

This changes the meaning of the entire workflow and returns the data for all of our customers!

In the worst cases of SQL injection, the attacker can execute a stored procedure that can do a lot more damage than the query stated above. At the OS level, it may even turn out to be the execution of a system command on the server.

Since SQL injection is performed at the database level, attackers may tamper with critical data and in some cases, may even destroy it. If the developer is not careful in the application design, the attacker may even end up executing administrator commands on the database.

Let’s look at an example of OS injection. Assume this is the (Java) code for our application:

//required imports…

public class HelloWorld{

          public string foo(String accountNumber){

                                  try {                                                              

                                                          Runtime rt = Runtime.getRuntime();

                                                          rt.exec(“/u001/some_dir/runscan.sh ” + accountNumber);

                                  }catch(Exception e){

                                                          //all error handling here

                                  }

          }

}

The snippet of code above receives data from a feeder which does not validate the input accountNumber. The method foo accepts the inputs and executes a shell script on the command line with the input as an argument. So far, so good. Of course the developer didn’t anticipate that the input can be fed in with a lot more. Let us assume the method is invoked with the argument “acct1 & ps –aef”. The script (runscan.sh) will get executed with acct1. But because of the & in the input, a second command is appended. Thus, the system ends up executing the process status as well. A similar effect may also be achieved by using an input with a semi-colon. For example: “acct1 ; netstat –anp”.

Now, the good news. All this can be avoided without investing much time and effort. Here are some best practices for protecting against code injection attacks:

Any injection flaw is an indication of bad/incorrect data validation. This data could have arrived through a trusted or an untrusted source. Maybe your application was only meant for real world users, but nothing stops someone from writing a script (or creating a requestor client outside your application) that generates unanticipated scenarios. So, it is extremely important to not restrict yourself by the expected behaviour, usage or even the targeted audience. The workflow illustrated in the application UI is not the only usecase your application will be exposed to.

It is highly recommended that untrusted or unvalidated data not be allowed to percolate down to the DB access layer or to the system layer through your application. Many developers make an incorrect assumption that validating text fields is the only thing needed. The validation list, if one has to create it, is much more exhaustive. Cookies, header data, and post data fields are some of the most common vulnerable entities that hardly ever get the developer’s attention.

On the database level, using bind variables helps us in queries. Another recommended approach is the use of stored procedures. This forces the developer to define the SQL code first and then pass in the parameters. This reduces the possibility of generating queries on the fly like the one in the example above.

Another very good defence mechanism is escaping all user-specified inputs. Some of the Oracle database techniques used for this are discussed in detail on this orafaq page.

It is expected that the database setting will use SET DEFINE OFF or SET SCAN OFF. Creating a specific database user, which does not own any DB object, for the application is a good defence mechanism. This guards the allocation of only required grants to this user.

Last but not the least; a proper code review is the final step towards avoiding injection attacks against your application. A fresh set of eyes can catch vulnerable scenarios or lines of code, which you may think are safe or may have overlooked.

We will close at this point. I will be back with the next episode of this series. Until then, take another look at your code. Is your application secure? Will you bet your paycheck on it? Looking forward to hearing about your experiences of injection attacks and your defences against them.

This year, the security of confidential information on mobile devices is a top concern for companies across the world. Executives are being urged to finalize mobile security strategies while IT departments are in the drivers seat for implementation. Screw-ups will assuredly have a lasting backlash on the parties that fail to prepare. To add to the stress, data growth is running rampant and the release of lost and stolen information has become more damaging with each new headline. The margin for error is thin indeed.

If your company has made major systematic changes, taken a closer look at its processes, or made changes to how it uses technology, you shouldn’t be surprised. These are all reactionary moves in face of a quickly changing landscape. For many companies, addressing the growing number of mobile workers has been the biggest struggle.

Every day, new devices equipped with new technology and sensitive data are connecting to the corporate network, spelling out potential for disaster for many CIOs. Who could blame them for being paranoid? The security of data is too important to ignore.

Take for example the results of a poll conducted by the Dimensional Research for Check Point Software Technologies. 71% of IT professionals believe an uptick in security events experienced by their company during the past two years can be attributed to increased mobile device use. On that point, 78% said they’ve seen such use of smartphones and tablets double in that time.

At first glance, it seems as if there’s a connection between the security incidents and the increased use of devices, or the iPads, iPhones, and Androids being brought to work by employees. Cloud computing, “hacktivism”, and mobility have brought a lot of change to the world of enterprise IT in recent years; the more reliant companies become on these new technologies and ideas, risk will continue to increase.

What we are unsure of, however, is the mobility environment of each IT professional polled, and what tools they were using at work. Without knowing, how can we attribute the rise in data breaches to smartphones and tablets? A mobile device management (MDM) solution allows proper implementation of a given mobile security strategy while giving the director the means to oversee their device inventory. In other words, it provides peace of mind in place of frustration.

What is your company doing to manage the mobile devices connecting to the corporate network? If devices are being kept at home as a preventative measure, you could be missing out on potential for increased productivity and a practical means for doing work. Share your story with us in the comments below.

Smartphone banking is today’s smart way of managing money on the go. We’ve all come to appreciate it for the simplicity and convenience it offers us. While the perks are great (quick access to funds, account balance summaries anytime, anywhere) safety and privacy have remained prime concerns.

For this reason, I’ve come up with a checklist of best practices to keep in mind while enjoying the smartphone banking experience:

1. Download your relevant banking application on the mobile device. Ensure that your banking app receives its software updates to avoid any exploitation of the software loopholes by hackers. Also, it is recommended that you use any tools or Internet browsers recommended by your bank. This way you may be certain that account information and any financial transactions are relayed in a secured and encrypted manner.
2. Refrain from using public wireless networks to avoid any hackers sniffing into your mobile device and stealing your important and confidential financial information. It’s a good idea to connect to your smartphone banking application over a secured or private wireless network.
3. Be cautious when accessing your account. Banking applications typically prompt the smartphone user for a login password each time they log in to keep a check on any fraud activity. If you find any unusual behavior while accessing your account details, report it to your bank for further investigation.
4. Cover your tracks! Some banking applications store sensitive and confidential data in clear text. After every mobile transaction, you must check for any data traces left behind on the phone.
5. Always lock your phone when not using it to prevent unauthorized user access. Check your phone settings and enable the auto-lock feature if you have a tendency to keep your phone unlocked.
6. Ensure that your mobile device has remote wipe installed or enabled. This security feature is a must; the foremost feature every smartphone user must set up lest the device falls into the wrong hands. Also, notify your financial institution about your lost device so that no texts or emails containing your account details or other financial matters will be sent to your mobile device.
7. Refrain from sending or sharing any financial data over text messages. It is an easy way of exposing critical information to hackers or cyber criminals. Also, delete or ignore any messages or emails received from unknown senders asking for your account details.
8. Use strong and complex passwords for your mobile banking account. It is a good practice to have passwords that are eight or more characters, using numbers, symbols, letters and punctuation instead of ‘1234’ or passwords based on your birthday or anniversary.

Do you have any recommendations for safe banking on smartphones? Please share your suggestions and comments below. If you’re a financial institution looking to keep your device inventory secure, see how an MDM solution can help.

This brings up a lot of issues for any industry where privacy and security is important. You want to make sure you know exactly where account information is and who has access to it. For banks and credit unions, the penalties for lost data can be severe.

You’ll need policies that give data access to those who truly need it. Policies that require passcodes, encryption, and more. Did you know that early versions of some platforms have very few security features? Policies, if enforced correctly, can be used to keep devices on later versions of the software.

Alerts are helpful, too. Would your IT department like to know when a device is jailbroken or rooted? How about when a user exceeds the threshold on their monthly data plan? Mobile Device Management (MDM) can do all this and more.

A good MDM solution lets you:

• Enforce passcode type, complexity, length and how often they have to be changed
• Specify if users can set their devices to show the text of the passcodes when they enter them
• Specify if the data on the device must be encrypted (when supported by the manufacturer)
• Turn off device features like the camera, Bluetooth, and tethering
• Blacklist, approve or require certain apps
• Specify enforcement actions that will be taken automatically if the device is out of compliance
• Securely push apps to devices
• Securely push documents to devices and prevent them from being forwarded, if necessary
• Perform actions on the device, including:
  • Remote wipe
  • Remote lock
  • Block
  • Locate
  • Reset passcode

For Financial institutions, it’s not enough to say that your devices are secure. You have to be able to prove it if you need to. If a device with financial information is lost, you’ll need to be able to prove that the device was encrypted, or that it was wiped after the loss was reported.

You’ll need to be able to see:

• All the software and apps installed
• If the device is fully encrypted
• The history of the device, including if it has been wiped
• The total roaming mobile data usage for the last six months
• Whether devices are owned by your institution or by the user
• If the device is jailbroken or routed (a potential source of malware)

The bring-your-own-device (BYOD) trend has picked up a lot of steam in recent months and doesn’t look to be slowing down any time soon. Technological advances, a growing number of mobile workers, and gadget affordability have all played a role in the takeoff process. In some ways this trend presents cause for concern; an increasing number of employees are sitting in their company’s drivers seat and calling the shots in ways they shouldn’t be. The device-types supported in a given corporate environment are no longer stemming from the will of the IT director. In many cases the line is being drawn by the employees who are bringing their personal-owned devices to the office.

InfoWorld expert Galan Gruman has made note of common problem areas and provided a few tips for how your organization can derive benefit and forget the troubles:

Gruman insists we can’t be naive. From his vantage point, companies have one thing in mind when making the transition to BYOD: money. Increased productivity and satisfaction born of BYOD programs are an added benefit, and that’s all. “Their goals are naive, so what should be viewed as a positive outcome isn’t. The problem is not that BYOD itself is negative, it’s that many companies do it for the wrong reason and don’t get what they wanted.” To remedy the problem, companies must define clear, concise, attainable goals that cover all aspects of mobility.

Gruman’s second point involves the cost of supporting your mobile workforce. The costs of BYOD can add up when mobile expenses aren’t managed properly. For this reason, Gruman rejects expensing bills in favor of flat rates. Why? No company could ever rid itself of its mobility costs; the company can always expect to receive requests for compensation of some kind. When this happens, Gruman advises not to allow your employees to fill out expense reports. These will add up from processing fees alone. Instead, companies should add a flat rate or a mobility stipend onto their employees’ paychecks each month. That way, they get the money required to pay their wireless bills and the company meets its goal of saving on mobility costs.

How do you BYOD at your company? If you aren’t factoring in any of Gruman’s advice, why not? Take some time now to think why you are managing your devices the way you are, and decide whether its the best option going forward. If you aren’t sure, maybe your workforce is. Perhaps consider sending out a survey to determine what your employees would prefer. After you have your strategy set, make sure you implement it in the most cost effective way you can to attain maximum benefit.

First smartphones, then tablets…now ultrabooks. The mobile computing space has never been as dynamic and exciting as it is now. Over the course of recent years, mobile computing has improved in such a way that it has almost become a lifestyle.

Ultrabooks are nothing new, and by no means an innovation in mobile computing. They have always been around. Thanks to Apple‘s MacBook Air, the trend has gained considerable momentum. PC manufacturers have always wanted to give slim and high performance devices to the consumer, but Apple laid the foundation.

So what are these ultrabooks?

Ultrabooks can be defined in a few simple words: portable, slim stylish, and fast, with responsive computing interfaces. Like the MacBook Air, the ultrabooks are also powered by Intel low core voltage processors for efficient power consumption and long battery life. However, the two factors that distinguish the MacBook Air from ultrabooks are:

1. Displays. Ultrabooks have a resolution of 1366 x 768 whereas the MacBook Air 13 has a resolution of 1440 x 900.
2. The Ultrabook Intel Core Processors are embedded with security and anti-theft protection technology. Mid-2012, Intel has plans to introduce the Ivy Bridge processors for powering ultrabooks. Not only will the Ivy Bridge processors ramp up performance, responsiveness, and visual display of the ultrabook, but it will upgrade the mobile computing security component. Intel plans to embed McAfee in its core processors for increased malware protection.

Different ultrabook vendors have their own unique selling propositions to market their products. For example, Lenovo’s IdeaPad Yoga can be twisted to behave like a tablet; Dell’s XPS13 is 128GB solid-state drive and has a backlit keyboard; and Acer claims to have built the world’s thinnest ultrabook. In spite of different flavors of ultrabooks available to suit one’s needs, some of the factors that may hinder ultrabook adoption are:

1. High prices. Ultrabooks are priced between 800 dollars and 1300 dollars. If the ultrabook manufacturers can keep a benchmark of 600-700 dollars, it will influence the number of consumers adopting ultrabooks.
2. Support for Windows 8 in workplaces: The 2012 ultrabooks are powered by the Microsoft Windows 8 operating system. Has your IT started or is considering supporting Windows 8?
3. If you like a heavy dose of CDs, DVDs and flash drives, ultrabooks aren’t for you. Ultrabooks, by definition, do not have any built-in hard drives; are powered with solid state drives (SSDs) for better speed and responsiveness; and have low power consumption.
4. The ultrabooks have no outlet or port for LAN support but the mini display port allows you to connect to any type of PC display.

Many industry experts have deemed ultrabooks tablet contenders. But I believe the ultrabooks will eat away at desktops and notebooks. Reason being, tablets and ultrabooks serve different purpose for different user groups. For example, tablets are great reading and entertainment devices for travelers, while the ultrabooks are an ideal pick for students or professors who are always on the move and are looking for high performance boxes. However, I believe, ‘device price’ and technology innovation will play a pivotal role in defining the future of each of these devices.

As the ultrabook revolution picks up the pace, I am already watching the market for new additions to pick one for myself. Are you too ready to dump your netbook or desktop for an ultrabook? Or maybe you own one–if so, please share with us your experiences and any ultrabook vendor recommendations.

“One day, the tablet will reign supreme over the laptop and PC.”

We’ve all heard the argument before. It could be years down the road, but that’s not to say it won’t happen… and the tireless work of Android and iOS application developers certainly isn’t hurting the tablet’s case. Today, app upgrades and new releases come to us at such a rate that its a true challenge to keep your personal device up-to-date. As we base our decision to go Tablet on price, features, and size, a complete transition will depend greatly on the success of the apps that are released. More specifically, it will depend on how much more benefit they bring us in comparison to our computer programs.

So which of these apps will play the biggest role in this transition? The equivalents of computer programs we utilize regularly for business purposes. Microsoft Office, Microsoft PowerPoint, and Microsoft Excel being among the most popular.

Yesterday, the Wall Street Journal announced the release of a free iPad app by OnLive, Inc., which gives users full access to Microsoft Word, PowerPoint, and Excel. All you need to do is sign up for a free OnLive account and you get 2GB of free cloud space to store/access the spreadsheets, presentations, and Word documents that you created on your iPad. To access them on the computer, just log in to your OnLive account from their website. Sounds great, right? Not so fast. You won’t be able to open .ppt, .doc, or .xls files attached in emails, nor will you be able to edit and generate content quickly without a keyboard accessory. But these cons I’d classify as inconveniences aren’t what we need to worry about…

The worst part about this great app is having to surrender the security of sensitive/private information. Any organization looking to keep their documents in-house should be wary of the risks that come with loading a file to a location external to their network. Wouldn’t it be great if this app allowed users to keep their files local? Empowered by document management, today’s IT administrators can control the flow of attachments transferred across all mobile devices in their network by giving their employees a secure means to share. If this OnLive app enabled employees to work within these bounds, now that would make a more compelling case for switching from PC to tablet (and staying there).

What factors are playing in to your decision to stick with a computer versus a tablet (or vice-versa)? Do you agree that quality apps shaped from the influence of computer programs will ensure this transition comes to fruition? Are limitations–such as lack of security or control over your documents–holding you back?

Part of what made the iPhone 4S so great was timing. It was released right on cue with upgrades to iOS software and shortly before the passing of a legend in Steve Jobs (and unexpectedly so). One of many ways people chose to pay tribute to Jobs was by purchasing his last great device. Others wanted to take full advantage of the iOS 5 software…more specifically, Siri. The timing and its influence on consumers is what lead to a record-breaking 4 million sales 3 days after its release.

So the question is, how will Apple carry this momentum into 2012? What factors will weigh in on our decision to buy their iPhone 5?

It may not be what the phone brings the people that drives them to buy it. This time around it could be more simple; the phone will be brought to the people. Present day, there are only 3 carriers that offer the iPhone to customers. Combined, these networks contract with the majority of our country’s smartphone users, but that’s not to say the iPhone’s reach can’t and won’t expand. What if all 3G and LTE networks across the world could offer their customers an iPhone?

Katy Huberty of Morgan Stanley reports the iPhone 5 could arrive as early as Q3 2012, feature a slimmer design, and a “quad-mode chip from Qualcomm that would allow for 3G and LTE functionality across all ‘network flavors’”. If this holds true, Apple would have no problem picking up their success right where they left off when they introduced the 4S. Imagine how many people wanted to buy a 4S but couldn’t because their network didn’t offer it. Hubety added if Apple signs a deal with China Mobile–the world’s largest mobile phone operator–the inclusion of the chip in the iPhone 5 would be all the more likely. We will have to wait and see.

What do you think Apple will do to continue the success they had in Fall ’11? The phone will undoubtedly boast its share of new features, that we can always be sure of. But going back to my point about bringing the phone to the people, adding a few hundred million potential subscribers to the mix couldn’t hurt. It could be what really “does it” for them this time.

Software-as-a-Service (SaaS) eliminates the need to install applications on the customer hardware. SaaS applications are typically accessed from a web browser and a single instance of the application often serves all the customers. Since the same application instance needs to fulfill different needs for different customers and there may be no option of creating a custom build for each customer, customizability of SaaS applications becomes an important aspect for delivering personalized software to the users. Customizability enables easy integration of the SaaS application with the customers existing systems and also empowers partners and resellers to easily configure the solution according to their and their customer’s requirements.

In one of our last posts, we discussed some of the key architecture tenets of a SaaS application – multi-tenancy, customizability, scalability, and security. This post focuses on different customization techniques that we have used in MaaS360 to make it flexible and configurable to address our customers’ and partners’ needs.

1. Look and Feel of a UI: Look and feel is one of the most important types of customizations for a SaaS product. Why?

• Firstly, it provides an option to the customer or a partner to brand the software
• Secondly, by changing the font, colors, and images used in the system, one can make it look similar to the existing systems that the user is familiar with

So, how do you ensure that the look and feel of your application is customizable?

By using CSS (Cascading Style Sheets) for styling the web pages rather than hard-coding the styles within the HTML or JSP. 

Create a set of CSS files that define the default look and feel of your application. For customization, these CSS files can be overridden at a reseller or customer level to personalize elements like colors, fonts, backgrounds etc. The application should pick up the appropriate CSS file based on the user. Images displayed on your web pages can also be customized by storing different images in the file system or the database and picking the relevant image based on the user context.

Apart from the web pages, emails sent by the system to the user can also be customized for content, sender, subject, logos, links and signatures. We highly recommend creating email templates for emails that need to be configured per customer requirements.

So how does this work?

Most of the modern programming languages provide a library to format the date/time/number etc. based on a user’s locale. Make sure you are not hard-coding the display formats but format it based on the logged in user’s context and locale using the in-built functions.

Content localization can be achieved by using language resource bundles in your code. All the language specific content should be isolated from the web pages, so rather than hard-coding English strings in the web pages you should use constants that are replaced by the relevant text at runtime based on the user’s locale and language. If your application uses a database to display the content, the data model must be designed to store the content for each supported locale.

3. Role-based Access: It is critical for a SaaS application to provide different levels of access for different users. For example, in the MaaS360 portal, a Master Administrator can create, publish and assign policies to devices whereas a Help Desk Engineer can only assign policies. Similarly, a customer must be able to customize a user’s role by adding/removing access to certain workflows. It is also important that all portal actions are audited with the user and time information.

MaaS360 achieves this by adding support for role-based access in the application. A set of roles are defined for the application with each role having a set of permissions for different modules of the application. All the application modules check for the required permission before providing access to a workflow or functionality. A user can be assigned one or more roles. When a user logs in, he gets access to the workflows based on the roles assigned to him.

Customizability of a SaaS application can be a big pain if the above points are not well discussed and understood during the design and planning phase. By following these you can ensure that your application is ready for adoption by partners, resellers and customers.

Is your enterprise facing any specific issue while adopting customizability for your SaaS applications? Are there any points you would like to add? Looking forward to learning based on what you share from your experiences.

by John Harrington, Fiberlink

It’s been about a year since BlackBerry first rolled out the PlayBook, which is a while when considering RIM left its flagship tablet’s users without a native mail client that whole time. PlayBook users will be relieved to hear this is due to change when version 2.0 OS upgrades are released in February (Business Insider reports). Other upgrades to email will include the popular all-in-one inbox feature and rich text editing. Finally, it seems RIM has chosen to step up their tablet game to keep up with the competition.

So what does this mean for you? If you’ve been tethering to your BlackBerry device to access mail on your PlayBook, you’ll soon be able to cut cord and work solo on either device…and those who never had a BlackBerry in the first place will be able to get some real work done on the go.

RIM has taken the opportunity to address other shortcomings in this software update by making improvements to messaging and contact management. Once these features are enabled, the contacts on your PlayBook will be synchronized with corresponding account information on social networking sites such as LinkedIn, Twitter, and Facebook. So if one of your LinkedIn connections is attending our next webinar, you will know about just by viewing your calendar. Similarly, if your co-worker sends out an event invite for a Superbowl party to everyone at the office on Facebook, you will be able to see who RSVP’d (and coordinate on what to bring).

How do you feel about this upcoming software release? Will it put the PlayBook in better position to compete with up-and-comers in the tablet market? Or do you feel these moves will be insignificant in the long-run?