Home page logo
/

basics logo Security Basics mailing list archives

Re: Security for grades stored online
From: Ramki B Ramakrishnan <bramkie () gmail com>
Date: Fri, 11 Dec 2009 21:43:17 +0530

This system is obviously a target for people wishing to change their
grades. While I intend on coding securely and keeping the servers
secure (no access from the internet and such) I (and the university)
would like security a guarantee that is similar to that of teachers
manually handing in grades.

No access from internet or the following the manual record system does
not give you any guarantees. I suggest you focus on a) secure coding
practices, b) test, re-test, & periodical tests for the app. c) refer
stuff like OWASP Top 10  and implement a HIDS like OSSEC

Even with all these you can be only relatively assured of security :-)
at times paranoia helps...

Ramki

On Fri, Dec 11, 2009 at 1:21 PM, Ramki B Ramakrishnan <bramkie () gmail com> wrote:
This system is obviously a target for people wishing to change their
grades. While I intend on coding securely and keeping the servers
secure (no access from the internet and such) I (and the university)
would like security a guarantee that is similar to that of teachers
manually handing in grades.

No access from internet or the following the manual record system does
not give you any guarantees. I suggest you focus on a) secure coding
practices, b) test, re-test, & periodical tests for the app. c) refer
stuff like OWASP Top 10  and implement a HIDS like OSSEC

Even with all these you can be only relatively assured of security :-)
at times paranoia helps...

Ramki

On Wed, Dec 9, 2009 at 9:57 PM, Eitan Adler <eitanadlerlist () gmail com> wrote:
I will be coding a system for a university in which teachers will be
able to enter grades into a web based form. The grades will then be
stored in a database and used by the university to supply the final
transcript.
This system is obviously a target for people wishing to change their
grades. While I intend on coding securely and keeping the servers
secure (no access from the internet and such) I (and the university)
would like security a guarantee that is similar to that of teachers
manually handing in grades. My thought was to create a hash of the
names & grades which the teacher could print out and hand in to the
main office. This hash (one per class) could be verified against the
hash that is generated when the grades are viewed by the
administration. This reduces the amount of work required to verify
that the grades have not been changed and (I think) without reducing
the security of the grades.

Is this true? Can you find any flaws or implementation "gotchas" that
I should be aware of?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
Ramki B Ramakrishnan




-- 
Ramki B Ramakrishnan

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault