Application security and Code review

Application security and Code review

Postby Rick Lipkin » Wed Oct 11, 2017 2:21 pm

To All

I have done business with a Health Agency for about 15 years who uses my Vehicle Fleet Management application. About 3 years ago I was informed my old ( original ) dbf\cdx application was a security risk. Ok, I can understand that .. the application was on a network share and anyone with Excel could open any .dbf.

I took out a small contract to migrate the dbf\cdx to their on campus secure Sql Server using ADO .. and that seemed to satisfy the Network admin and the IT folks for a few years up until last week.

Since this is a large Agency they use Microsoft networking with Active Directory, As a VERY nice enhancement to the application, I incorporated some LDAP code to open a connection to Active Directory .. query AD for ( only ) First name, Last Name, and Userid to populate xBrowse as a look up table to add employees to a Drivers table.

I informed the Sql DBA that I needed two new fields added and I would be using those new fields to incorporate the new LDAP enhancement and this was his responce:

Image

Image

My response to the Network Admin was "bring it on" ... unfortunately, the Fleet Manager did not want to stir up the pot and his manager probably would not pay for the testing and the fleet manager asked me to not push the issue.

I informed the Network admin that I would take the ldap code out .. which I have done. The Network admin is still on the hook to add a new field unrelated to this issue . and has been un-responsive to this date.

I did call the network admin and he also mentioned that they may add a 'penetration' test to the review of my software as well.

My software sits inside an MPLS Firewalled network .. has no access to the outside world .. I am connecting to sql Server via ADO using the Sql Server DNS name and the secure Sql userid and password.

I also use Aspack to compress my executable and when the .exe is viewed under a hex editor .. there is absolutely nothing readable ANYWHERE in the hex .. usually if you look at an un-compressed .exe with a hex editor .. you can see code extracts embeded in various parts of the Hex... however Aspack totally removes any readable text:

Image

Here is a snipit of the LDAP code which I shared with the network admin :
Code: Select all  Expand view  RUN

Domain  := "LDAP://"+alltrim(cDomain)
cConnect := "Active Directory Provider"

oCn := CREATEOBJECT( "ADODB.Connection" )
oCn:Provider := 'ADsDSOObject'

TRY
   oCn:Open( cConnect )
CATCH oErr
   Saying := "Could not open a Global Connection to Domain "+cDomain
   MsgInfo( Saying )
   RETURN(.F.)
END TRY

*msginfo( "Connection Established" )

oRs := TOleAuto():new("ADODB.Command")
oRs:ActiveConnection := oCn

// add middlename

cSQL := "SELECT "
cSql += " telephoneNumber,"
cSql += " displayName,"          // fullname
cSql += " sAMAccountname,"       // userid
cSql += " sn,"                   // last name  sn
cSql += " givenname"             // first name
cSql += ""
cSql += " FROM '"+cDomain+"'"
cSql += " WHERE objectCategory   = 'person' AND"
cSql += "       objectClass      = 'user'   "

DO Case
Case cAdFind = "Bogus"
     // do nothing .. full table scan
OtherWise
   cSql += " and displayname = '*"+alltrim(cAdFind)+"*' "
End DO

cSql += " ORDER BY displayName"

oRs:CommandText := cSql //cString + cWhere

oProp           := oRs:Properties( 'SearchScope' )
oProp:value     := ADS_SCOPE_SUBTREE

oProp           := oRs:Properties( 'Page size' )
oProp:value     := 2000

Try
  oRsAd := oRs:Execute()
Catch oErr
   Msginfo( "LDAP Query Execution Error")
   oCN:CLose()
   Return(.f.)
End Try

aData := {}
aHead := {}

// generate xBrowse headings
nFields := oRsAd:Fields:Count()

For nI := 0 TO nFields - 1
    Aadd( aHead, oRsAd:Fields(nI):name )
Next


nLen := oRsAd:RecordCount()

IF nLen > 0
   oRsAd:MoveFirst()

   Do WHILE .not. oRsAd:Eof()

      aReg := {}

      For nI := 1 TO Len(aHead)
         Aadd( aReg, oRsAd:Fields( aHead[nI] ):value )
      NEXT

      If empty( aReg[1]) .or. aReg[1] = " "
      Else
         Aadd( aData, aReg )
      ENdif

      oRsAd:MoveNext()

    Enddo

Else
   Msginfo( "No LDAP Data found" )
   oRsAd:CLose()
   oCN:CLose()
   Return(.f.)
Endif

LightGreyGrad()

If cMode = "R"
Else
   oButt1:Disable()
   oButt2:Disable()
Endif

lOk3   := .f.

DEFINE DIALOG oDlg RESOURCE "USERSLCT"  ;
       TITLE "User LDAP Look Up Table"  ;

   REDEFINE xBROWSE oLBX            ;
            ARRAY aData             ;
            HEADERS "FirstName",    ;
                    "LastName",     ;
                    "UserId",       ;
                    "FullName",     ;
                    "Phone"         ;
       COLSIZES 97,97,97,150        ;
       ID 111 of oDlg               ;
       AUTOSORT AUTOCOLS LINES CELL

   oLbx:lHScroll := .f. // turn off horiz scroll bar
   oLbx:lRecordSelector := .f.
   oLbx:nMarqueeStyle   := MARQSTYLE_HIGHLROW

   oLbx:bLDblClick := { |nRow,nCol | (lOk3 := .t.,oDlg:End()) }

   _BrowColor(oLbx)

   REDEFINE BTNBMP oBtn1 ID 113 of oDlg   ;
         RESOURCE "OK", "DOK", "DOK" ;
         PROMPT "&Ok" LEFT 2007;
         ACTION (lok3 := .t., oDlg:End() )

   REDEFINE BTNBMP oBtn2 ID 112 OF oDlg   ;
         RESOURCE "CANCEL", "DCANCEL", "DCANCEL" ;
         PROMPT "&Cancel" LEFT 2007;
         ACTION ( lOk3 := .f.,oDlg:End())

ACTIVATE DIALOG oDlg;
         ON INIT ( oDlg:Move(100,400)) ; //, oLbx:SetFocus() );
         VALID(!GETKEYSTATE( 27 ))
 


I have no idea how much more I can secure an application .. again, this is running within the clients MPLS network .. The application does not reach out to the internet .. so what is their to penetrate .. I am making a DNS connection to their secure Sql Server .. the ldap code opens a connection .. I query the elements I want .. send it to xBrowse .. and close the connection ??

I have no idea what a security review would find ? .. seems pretty locked down to me.

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Application security and Code review

Postby James Bott » Fri Oct 13, 2017 11:41 pm

Rick,

Consider the possibility that it is a cover-your-a** move. Maybe they just want to cover themselves in case anything goes wrong, so they can blame it on you.

James
FWH 18.05/xHarbour 1.2.3/BCC7/Windows 10
User avatar
James Bott
 
Posts: 4840
Joined: Fri Nov 18, 2005 4:52 pm
Location: San Diego, California, USA

Re: Application security and Code review

Postby cnavarro » Sat Oct 14, 2017 12:00 am

James Bott wrote:Rick,

Consider the possibility that it is a cover-your-a** move. Maybe they just want to cover themselves in case anything goes wrong, so they can blame it on you.

James


++1
Cristobal Navarro
Hay dos tipos de personas: las que te hacen perder el tiempo y las que te hacen perder la noción del tiempo
El secreto de la felicidad no está en hacer lo que te gusta, sino en que te guste lo que haces
User avatar
cnavarro
 
Posts: 6549
Joined: Wed Feb 15, 2012 8:25 pm
Location: España

Re: Application security and Code review

Postby Rick Lipkin » Sat Oct 14, 2017 1:50 pm

James and Cristobol

What I think is happening is a genuine concern about any 3rd party software that touches or attaches to their active directory may be seen as a threat. All I am doing is adding value at my application to add new functionality to the software to be able to tap into a resource that already exists. I have used this LDAP module in other applications to get First Name, Last Name and Userid to populate a list box to make it easy to populate Employee information into a form .. such as a Driver who want to check out vehicles .. or Names to tag IT Inventory.

I just found it repulsive that due to adding value to my software ... that I would receive such 'threats' from IT staff. In my response to the IT person, I gave him the code and showed him exactly what I was doing .. and he understands, however the 'spouting' of IT policy to me seemed childish especially when I gave up my code to start a dialog that there is no intentional harm on my part to destroy or undermine his network Active Directory infrastructure.

Now, politically my software will be seen in their organization as a threat and an excuse to find another software solution more 'politically correct' to the my clients Supervisor. My client just asked me to lay low and I promised both my client and the IT manager that the future added value of LDAP will not be included in my next update build ... and at this point .. I really don't give a damn.

Rick Lipkin
Last edited by Rick Lipkin on Sat Oct 14, 2017 2:09 pm, edited 2 times in total.
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Application security and Code review

Postby cnavarro » Sat Oct 14, 2017 1:56 pm

Rick Lipkin wrote:James and Cristobol

Now, politically my software will be seen in their organization as a threat and an excuse to find another software solution more 'politically correct' to the my clients Supervisor.

Rick Lipkin


I think this is the real reason
And also that they have seen that their software is not so safe, if with a third-party tool (yours), you can access their information
The security problem is theirs, not yours
Cristobal Navarro
Hay dos tipos de personas: las que te hacen perder el tiempo y las que te hacen perder la noción del tiempo
El secreto de la felicidad no está en hacer lo que te gusta, sino en que te guste lo que haces
User avatar
cnavarro
 
Posts: 6549
Joined: Wed Feb 15, 2012 8:25 pm
Location: España

Re: Application security and Code review

Postby Rick Lipkin » Sat Oct 14, 2017 2:06 pm

Cristobol

I agree .. I have had a 15 year relationship with my Client and he is getting ready to retire .. his Supervisor is an xx$$@@@ and has recently put in a cloud based Dispatch system that costs 1000.00 a month per driver x 4 drivers = 4k per month equaling 48k per year in re-occurring costs knowing full well I have a better in-house integrated solution that resides on his local Sql Server .. so who owns his data in the cloud ? .. who would go out and purchase another 3rd party system when my very elegant solution works and stores its data on my clients own Sql Server ..

The logic escapes me!

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Application security and Code review

Postby cnavarro » Sat Oct 14, 2017 2:09 pm

Rick

Let me explain, if they are concerned that this information can be accessed:
1) They must provide the means for such information not to be externally accessible. Just like your software can do it, another can do it too
2) Why is your software less secure than the one they use to validate that information?
Cristobal Navarro
Hay dos tipos de personas: las que te hacen perder el tiempo y las que te hacen perder la noción del tiempo
El secreto de la felicidad no está en hacer lo que te gusta, sino en que te guste lo que haces
User avatar
cnavarro
 
Posts: 6549
Joined: Wed Feb 15, 2012 8:25 pm
Location: España

Re: Application security and Code review

Postby cnavarro » Sat Oct 14, 2017 2:14 pm

I'm used to having system administrators blame third-party software, and they wash their hands, and forget their real job
Cristobal Navarro
Hay dos tipos de personas: las que te hacen perder el tiempo y las que te hacen perder la noción del tiempo
El secreto de la felicidad no está en hacer lo que te gusta, sino en que te guste lo que haces
User avatar
cnavarro
 
Posts: 6549
Joined: Wed Feb 15, 2012 8:25 pm
Location: España

Re: Application security and Code review

Postby Rick Lipkin » Sat Oct 14, 2017 2:21 pm

Cristobol

I don't know .. LDAP has been around for a long time and during my discussions with the IT person he does understand what I am doing ... however wants to bring in a Security Company to test my software for any possible penetration vulnerability or objectionable behavior .. as I mentioned in an earlier post . I told the IT person "Bring it On" .. however my client asked me to just take out the LDAP module because he did not want to have to submit the security review cost to his XX##@@@ Supervisor who probably wouldn't pay for it.

I guess it is time to move on to another Client.

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Application security and Code review

Postby James Bott » Sat Oct 14, 2017 3:29 pm

Rick,

This seems to be all political.

I am not sure, but it sounds like you are saying that they have already decided to replace your software with a cloud based system?

If that is the case, then perhaps this supervisor is involved with the cloud company. Maybe he is getting a kickback, maybe his family works there, or maybe he has just done business with them before. Or, he already knows that software and he doesn't want to learn yours. It still sounds like he is looking for a reason to get rid of your software. Perhaps he perceives you to be a threat, as I expect you are way more experienced than he is.

I feel for you, as I have lost clients for similar reasons in the past. Politics is rampant everywhere, and logic has nothing to do with it.

Cristobol seems to know what I am talking about--from experience I expect.

James
FWH 18.05/xHarbour 1.2.3/BCC7/Windows 10
User avatar
James Bott
 
Posts: 4840
Joined: Fri Nov 18, 2005 4:52 pm
Location: San Diego, California, USA

Re: Application security and Code review

Postby Rick Lipkin » Sat Oct 14, 2017 3:48 pm

James

You are probably correct .. the part that stings the most ... my X State employer ( because they liked my software so much over 15 years ago ) agreed to give it to any other large State Agency for free and made the promise to support the product if I every left.... and I did leave several years ago, and they failed on their promise to continue support for my Vehicle Fleet Managers application.

Since that code is my intellectual property .. I decided to honor the original promise to continue the 'free' support for the last 10 years or so up thru today.... How about that for integrity?

If there is one lesson I have learned :

"There is no perceived VALUE for any Software or Service that is Free"

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: Application security and Code review

Postby James Bott » Sat Oct 14, 2017 5:06 pm

Rick,

"There is no perceived VALUE for any Software or Service that is Free"


You are right about that. Consider that a valuable lesson you learned.

Early on in my consulting career, I read a book about consulting in which he had a chapter on fees. He said, never charge too little, and never, ever, lower your rate when they request it or complain about how much you are charging. To do so makes them think you aren't worth it. I have stuck with this advise and never lost a client because of that. When I give them an estimate and they ask to lower my rate, I tell them no, I have more work than I can handle now at my current rate, why would I lower my rate? I can however reduce the scope of the project by cutting out features.

If they tell me they found another programmer that will do it for a lower rate, then I say, you get what you pay for. Just because they charge less per hour doesn't mean they can do as much in an hour. I have 30 plus years of code in my library, and I can plug in a lot of it to create your code. A younger programmer cannot do that. I also have 30 plus years of experience in solving business problems with software.

I could go on about this, but I expect you get my point.

James
FWH 18.05/xHarbour 1.2.3/BCC7/Windows 10
User avatar
James Bott
 
Posts: 4840
Joined: Fri Nov 18, 2005 4:52 pm
Location: San Diego, California, USA

Re: Application security and Code review

Postby TimStone » Sun Oct 15, 2017 11:33 pm

Rick,

Over the years I've seen, and learned, a lot about behaviors of "managers". I am amazed at how little research owners of companies will invest into these decisions. I've seen some get severely harmed when falling for sales pitches. A few examples:

1) A business running my software had a problem that I knew was hardware related. I explained this to the owner but a sales person convinced him otherwise. They bought a whole new system from a competitor, and the problem went away. Why ? Because the other company insisted on installing all new hardware also.
2) One business hired a new manager who insisted they needed to use a different software. ( Yeah, he got cash in his pocket for that one ). He hooked the owner on that, and several other promises. They were out of business less than a year later.
3) Often a "new employee" comes in, and convinces the owner to go in a different direction because they don't want to learn something new ( to them ).

The payoffs are rampant by companies trying to sell their products. The bottom line is your blood pressure does a whole lot better when you walk away from it.

Tim
Tim Stone
http://www.MasterLinkSoftware.com
http://www.autoshopwriter.com
timstone@masterlinksoftware.com
Using: FWH 23.10 with Harbour 3.2.0 / Microsoft Visual Studio Community 2022-24 32/64 bit
User avatar
TimStone
 
Posts: 2946
Joined: Fri Oct 07, 2005 1:45 pm
Location: Trabuco Canyon, CA USA

Re: Application security and Code review

Postby Carles » Mon Oct 16, 2017 9:05 am

Hi Rick!,

If your software has LDAP integration this is an added value. Maybe there are companies that want or do not want to activate it, but in any case it's a plus in security. I've been using LDAP connections for some time and I even put examples of how to do it here -> viewtopic.php?f=3&t=26995&p=149999&hilit=ldap#p149999

This really sounds like an excuse for them to justify their inversion in the cloud.

I hope I was wrong... :(
Salutacions, saludos, regards

"...programar es fácil, hacer programas es difícil..."

UT Page -> https://carles9000.github.io/
Forum UT -> https://discord.gg/bq8a9yGMWh
Skype -> https://join.skype.com/cnzQg3Kr1dnk
User avatar
Carles
 
Posts: 1139
Joined: Fri Feb 10, 2006 2:34 pm
Location: Barcelona

Re: Application security and Code review

Postby Rick Lipkin » Mon Oct 16, 2017 1:09 pm

Carles

The Garage staff have been using my software for over 10 years and about 2 years ago I took out a 5k contract to migrate their app to a secure Sql Server and I went thru the program and added nice visual elements like gradients to include all data entry screens and included incremental searches\filters and the staff enjoy the program.

I am just going to let things take their course and let the politics play out .. As I mentioned above .. "There is no perceived VALUE for any Software or Service that is Free" .. during the migration I should have changed the licensing to SaaS ( software as a Service ) and engage them in a re-occurring contract where they have ownership .. by continuing to give them free updates to continue my former State Agency's gift... all I have done is put myself out of business with that Customer.

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2666
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Next

Return to FiveWin for Harbour/xHarbour

Who is online

Users browsing this forum: No registered users and 44 guests