we will cover in this lecture a first look at issues related to security maintenance scalability...
TRANSCRIPT
We will cover in this lectureA first look at issues related to
Security MaintenanceScalabilitySimple Three Tier ArchitectureModule Road MapAssignment 1 Road Map/Claims for Credit
Internet Software
Not web sites!We experience the web as users there is much
more behind the scenes we are interested in
Some things we are interested inSecurityMaintenanceScalability
The DVD Swap Shop
Used on the first year to teach programmingWritten in VB.NETUses some of the concepts we teach in this
moduleHowever it suffers from much poor designAvailable for download from the module web
site / blackboardWe shall look at a quick demo of what the
program does
Security IssuesThe standard login for the program is
User name [email protected] password123
What happens if we use the following?
User name hi' or '1'='1User name hi' or '1'='1
SQL Injection AttacksSQL is a language designed for querying
database It stands for Structured Query LanguageMost commonly abbreviated to
SQL or Sequel (as in Sequel Server)
We are going to use SQL later in this module and you will be learning it in a parallel module so it won’t do any harm to show you a little SQL now
The Offending SQLselect * from Users where EMail = '" & EMail & "'
and UserPassword = '" & Password & "'"
With the following [email protected]
This concatenates to …
select * from Users where EMail = '[email protected]' and UserPassword = 'password123'
The Injection Attackselect * from Users where EMail = '" & EMail
& "' and UserPassword = '" & Password & "'"
With the following “account”hi' or '1'='1
This concatenates to …
select * from Users where EMail = 'hi' or '1'='1' and UserPassword = 'hi' or '1'='1'
How it WorksThe single speech mark has terminated the string
earlySince 1 always equals 1 we return all of the recordsThere are more than zero records so it logs the user
in as the first accountThe first user on any system is often the
administratorThis is not a lesson on SQL injection attacks
it does server to illustrate the vulnerabilities of poor architecture
Maintenance DVD Swap Shop built on AccessNot the best choice for an internet
applicationChange to another database e.g. SQL ServerDVD.MDB becomes DVD.MDF
The ProblemWeb page 1Database Name
Web page 2Database Name
Web page 3Database Name
Web page 4Database Name
Conduit Class Database
100 page site with ten references to the database per page = 1000 changes to the code!
ScalabilityHow many of you have FaceBook or Twitter
on your phone?How would we modify the DVD swap shop so
there is a phone app that does the same?Re-design the pagesHowever what do we do about the
functionality?
Compare the Following Pages
Other Issues to Think About
Dealing with International MarketsDealing with Different Computer Platforms
Dealing with International Markets
Amazon Search
Dealing with Different Computer Platforms
Mobile Apps - Apple/Android/WinMo 7Tablet computers e.g. iPadWindows ComputersLinux machinesServers running Apache / IIS
What is the technology that makes it possible to support such a range of platforms?
Simple Three Tier ArchitecturePresentation(Interface)
Data LayerDatabase
Middle TierBusiness Logic(Objects/Classes)
Some Benfits
The interface has no knowledge of the structure of the databaseMiddle tier handles communication of dataDatabase may be switched with no impact on
interface
All functionality in the middle tierThis means we may bolt on many different
interfaces
Multiple Interfaces Single SystemPresentation(Interface)
Web browser
Data LayerDatabase
Middle TierBusiness Logic(Objects/Classes)
Presentation(Interface)
Mobile phone app
The big plus here is that if we change the functionality of the middle tier, any applications that are built on it instantly benefit.
Life is Never that Simple!Module Road Map
Assignment 1 Road Map
Claims for CreditOne interesting aspect of this module is that you have
the facility of claiming credit for work that is not complete.
If I were you I would make a start ASAP on creating
parts of the system and then claiming credits for them from your tutor.
This will help you in two ways 1. You may start obtaining your module marks2. You may get feedback on work even if it is half baked