18 Aug 2016

Lock Down Your Production DB: Five SQL Security Tips

Locking down your production SQL database can be one of the more important things you do as a business to increase your security. Your database can hold valuable customer, company, or other high risk information. I recently attended a MySQL conference where Benjamin Wood, from Oracle, presented on database security. I’ll go over the five main security risks and how to prevent them.

1. Shared Service Accounts

Shared service accounts are commonly used with databases in development because members of development teams can easily remember the shared service account credentials. Shared service accounts also require very little oversight, but they are strongly discouraged in production, especially in a larger corporate environment. The biggest threats to your database due to shared service accounts are former employees. These employees may be less than happy with your company, and they could use a shared service account to log into your server. Once they’re in they may have the ability to drop your database, steal information, or give credentials away. If they can’t log in to the server from outside of the business, they can still contact somebody on the inside to perform actions on their behalf.

LDAP, Active Directory, and Kerberos are examples of authentication/authorization solutions that could eliminate shared service accounts. If an employee gets fired, these systems allow you to just remove their credentials from the directory and the problem is solved.

2. SQL Injection

A common and scary form of database hacking is with SQL injection. SQL injection allows a hacker to expose backend data through unexpected SQL. SQL injection leverages SQL commands on application forms in an unexpected way that exposes the backend database. Here’s an example of a form that asks for your email.

  • The query on the backend looks like this:
    ‘select user from usertable where email = ’
  • The hacker would input something like this:
    ‘email@email.com’ OR ‘x=x.’
  • The x=x was unexpected and the query now says:
    ‘select user from usertable where email = email@email.com’ or ‘x = x’
  • When the query executes it will return the entire user list because the query returns TRUE.

You can combat SQL injection by validating user input. The best kind of validation is known as “positive security,” a.k.a whitelist. Using positive security, you specify what can be entered into a field rather than just specifying what can’t be entered into that field. Email addresses follow a regex pattern: they can’t have the word OR, they can’t have an equal sign, and they have to be a string with no quotation marks. When you use positive security you can prevent most injection attacks.

Another way to combat SQL injection is to return quality error messages. When you have a descriptive error message when a hacker’s injection attack is disallowed they may be deterred and move on. For instance, if an email doesn’t pass validation your error should say, “invalid email format,” rather than “email not found.” Quality error messages will show the hacker that entries are being checked and validated.

3. Unsupervised Operations

Unsupervised operations is a threat that is very similar to that of shared service accounts. The threat is introduced when you have an employee who is upset with the company and have no way to monitor their access to important systems. This employee might be about to quit their job and in a fit of rage, they decide they’d like to trash the database.

Monitoring and alerting anomalous access and operations is really the only decent way to keep tabs on this type of malicious activity. If employees are aware that transactions they do on the database are being stored in a logging system, then they’ll be less likely to do anything malicious.

4. Compromised Root Privileges

If a hacker gains root privileges to your database server, your data will be vulnerable and they can do whatever they’d like with it. Root privileges are often compromised because of a phishing attack on an employee. If your database information is encrypted, and the key lives on the server, the hacker has access to the key as well and can easily read your data.

Transparent data encryption with a key held in a keystore, can dramatically help with this issue. Transparent data encryption (TDE) encrypts data as it goes over the wire in both directions, so the data “at rest” on the server is encrypted. Because the encryption keys are in a keystore, root access to the server doesn’t compromise security to your encrypted database.

5. Privileges and Passwords

A phishing attack can expose usernames and passwords to a database. Hopefully those exploited credentials don’t have root privileges. Also, a hacker could figure out a simple username/password combination such as “admin/password” quite easily.

A secure production database environment should have systems in place for password complexity, rolling updating passwords, and user privileges to the database. These methods can’t stop hackers from ever gaining access, but it can greatly deter them. When using these methods, hackers have to spend more time breaking in. Also, correct database privileges will prevent hackers from gaining access to everything at once from a single password hack. Provide developers with only the access they need to do their job. By allowing only necessary access it will make it extremely hard to for anybody attacking from the outside to gain root privileges to your data.

There are many solutions for each of these problems through third party software or internal solutions. I know that MySQL enterprise has built in tools for every single one of these if you choose to go that route. Of course, security is never guaranteed. If you take the proper precautions in a sensitive production environment, you can greatly reduce your risks.

Share this
15 Jul 2016

Why RealEyes Switched to TypeScript.

Within the past few months RealEyes has switched from using JavaScript as its main development language to TypeScript. We have successfully launched a large production application developed entirely using TypeScript and have found the change to be helpful and has increased productivity.

Why TypeScript?

Readability

The most attractive benefit to using TypeScript in my opinions is readability. The ability to create a more readable code base that explicitly states class declarations, and property types is something that was missing from JavaScript.

Take a simple namespace with a class definition developed in both JavaScript and TypeScript:

Screen Shot 2016-06-27 at 12.10.33 PM

JavaScript namespace and class declaration.

Screen Shot 2016-06-27 at 12.11.01 PM

TypeScript namespace and class declaration.

Notice how with TypeScript we are able to explicitly state our namespace and class, unlike JavaScript where that is inferred and only a seasoned developer would understand what is actually occurring. With TypeScript we are also explicitly able to provide variable types and return types within the code without having to spend time creating additional documentation with tables to define everything for other developers to use.

Code Hinting

With TypeScript your IDE or Text Editor can be setup in such a way to allow for easy hinting to display property types, return types, and comments. This increases productivity so that a fellow developer doesn’t have to find the documentation for the library or class that they are using or have to look at any source code to determine what is required and what the expected output is. When working within teams where many developers are working on multiple services this ability to quickly show each other all the types is invaluable.

Take the following screenshots:

Screen Shot 2016-06-27 at 11.19.09 AM

TypeScript: available class found within ‘test’ module

Screen Shot 2016-06-27 at 11.17.45 AM

Class definition hint

Screen Shot 2016-06-27 at 11.21.04 AM

Class constructor properties hint

Screen Shot 2016-06-27 at 11.22.32 AM

Available properties and methods on SomeClass

With TypeScript and a plugin with your favorite IDE or Text Editor such as WebStorm, VSCode, Sublime Text, Atom, etc; we can show available class or properties found within an external module, view class constructor properties and return types, and view class properties and methods. You can also add any documentation about the properties or methods by adding simple comments within the module.

This ability to show module classes and class properties and methods also extends outside of your teams code base. Using a popular npm module Typings you can download definition files for your favorite libraries such as JQuery and then have access to that libraries type definitions.

Screen Shot 2016-06-27 at 11.48.47 AM

Sample of available properties and methods on JQuery library

Valid JavaScript is Valid TypeScript

Since TypeScript is an encapsulation of JavaScript (ES7, ES6, and ES5) not only do we get to use the new methods provided with ES6 and ES7, all valid JavaScript is valid TypeScript. This means that even though we enforced strict typing and class structure within our development environments through linters (tslint) and the tsconfig; sometimes when a developer who is still learning TypeScript needed to quickly lay down some comfortable JS logic to solve a problem. It was still able to transpile and work without them being blocked by a learning curve. This then allowed the team to learn the TypeScript way at a more leisurely pace instead of being thrown into the deep end without a life vest.

Popularity

TypeScript has quickly become a popular language within the web development industry. With Angular 2‘s adoption of the language, many other developers and companies are quickly moving to TypeScript. Meaning that this language will be receiving a lot of support within the community, and more developers will be learning and practicing this language. Additionally with the familiar layout of other object oriented languages such as Java, or C#, it may start attracting more developers who found JavaScript unattractive and confusing.

Share this
15 Jul 2016

Unified Content Across Platforms, Are We There Yet?

tl;dr; For content that doesn’t require DRM, we’re there. If you need DRM there’s still some work ahead.
At WWDC 2016 Apple had some big news for the video streaming community. They announced two big changes that move us closer to a world where media files can truly be shared. Announcement one was that the HLS (HTTP Live Streaming) specification would be expanded to allow for use of fMP4 (fragmented MP4) media segments. The second announcement was that FairPlay would support fMP4 segments that are encrypted with CENC. Unfortunately as is often the case, the devil is in the details.
Let’s start with the good news. fMP4 support in HLS means that content libraries that do not require DRM can use a single set of content to serve most (if not all) clients. You will need an MPEG-DASH manifest and an HLS manifest, but the segments referenced by those manifests can be shared. This is huge! This has a major impact on the cache-ability of assets and on storage costs for media libraries. The open question here is what versions of iOS will support this new version of HLS? Will there be an update to old versions of iOS or will this be an iOS 10+ feature?
Now for the news that turned out to be a pretty big letdown. Apple announced “Sample encryption uses part of ISO/IEC 23001:7 2016” (that specification is for Common Encryption, a draft version can be obtained from mpeg). The next line in the slide says “MPEG standard—“Common Encryption”, this is looking great. However that was followed by “‘cbcs’ mode” which made it clear something fishy was going on. The language they used should also have made it clear something was up “uses part of” is not a good sign for implementing a standard.
To understand what is going on here we need to understand the CENC spec and the new HLS spec a bit better. The new versions of the CENC spec define 4 separate protection schemes for content. The 4 protection schemes defined in section 4.2 of that specification are ‘cenc’, ‘cbc1’, ‘cens’, and ‘cbcs’ (yes, one of the schemes has the same name as the overall spec). Of these 4 protection schemes only the first, cenc, is required for implementors to support. The other three are optional.
Now we need to better understand what was added to HLS. The new spec in section 4.3.2.4 says “fMP4 Media Segments are encrypted using the ‘cbcs’ scheme of Common Encryption”. They’ve added support for the optional ‘cbcs’ protection scheme, without adding support for CENC spec required ‘cenc’ protection scheme. This means that if you need to protect your content with DRM you cannot use the same fMP4 fragments for FairPlay as you use for PlayReady or WideVine.
Why would Apple choose to “use part of” the CENC spec and not implement the one required protection scheme? We don’t know all of the answers, but one key point that Roger Pantos drove home in one of his presentations “Content Protection for HTTP Live Streaming”[4] was that battery life is king. He even said “every choice we made was predicated on giving you good battery life”. So what does the ‘cbcs’ protection scheme have to do with good battery life?
Of the 4 protection schemes defined in CENC the first two (‘cenc’ and ‘cbc1’) are Full Sample Encryption. As the name implies these protection schemes encrypt the entirety of the protected segment. The two newer protection schemes (‘cens’ and ‘cbcs’) use Subsample Encryption. In subsample encryption only a portion of the protected segment is encrypted. The spec says “Each Subsample SHALL have an unprotected part followed by a protected part”, so about half of the segment ends up being encrypted. This means that there is less work that needs to be done on the client as only about half as much data needs to be decrypted. In addition the ‘cbcs’ protection scheme treats each subsample as an independent encrypted block, this means that subsamples can be decrypted in parallel allowing for faster decryption of streams.
The ‘cbcs’ protection scheme is a great approach allowing for faster and more efficient protection of content, however the lack of support for ‘cenc’ within FairPlay means that DRM protected content must still be fragmented. We’ve come much closer to an ecosystem where we can use a single set of content files to deliver high quality protected video content, but we’re not quite there yet.
Share this
15 Jul 2016

Automated Functional Testing with Intern

What is automated testing?

Automated testing is a way for developers to test their code without having to manually go through and review everything they have built. It allows for warnings to be thrown when specific parts of the code are broken, this helps developers quickly narrow down what is defective. Efficient automated tests can save hours of debugging and QA time. There are two types of automated testing: Unit testing and Functional testing. Unit testing takes in inputs and checks that the functions being tested return the expected output. Functional testing tests the interactions a human would have with a program. In this Blog Post we will be focusing on writing functional tests with an automated testing framework called Intern.

Why use intern…

When picking a framework to use for your automated testing you have a few different choices. You need to consider what you need from the framework and what type of application you are testing.

leadfootLogo

We chose to use Intern as our testing framework because of its flexibility and compatibility with web applications written with JavaScript. Intern is able to assist in running both unit and functional tests. chaiJSLogoIntern uses a few different tools within the framework. Leadfoot API is included to give the developer a selection of methods that can be utilized in order to mimic user interactions with different UI elements. Intern can use Selenium in order to automate browsers that are being tested and can also be leveraged to use cloud-based testing tools such as BrowserStack. Intern also uses assertion libraries to run specific tests on targeted elements. It is compatible with any assertion library, we are choosing to use Chai.js in our example.

The following is a simple example of how to use Intern

The following is a basic functional test that we are using to load the Intern.io website and check that the title text says “Intern.”

define([
'intern!object',
'intern/chai!assert',
'require'
], function (registerSuite, assert, require, registry) {
registerSuite({
name: 'intern',
'00-page-load': function () {
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)


return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)
.findByClassName('logo')
.getVisibleText()
.then(function (text) {
assert.strictEqual(text, 'Intern.', ' The visible page title should say “Intern.” ');
})
.end()
}
});
});

Lets break this down…

We are using define in order to load in the modules required to write our test with Intern then registering the suite.

define([
'intern!object',
'intern/chai!assert',
'require'
], function (registerSuite, assert, require, registry) {
registerSuite({

Name of our test suite, multiple tests can share this name
name: 'intern',

Our first test name, this needs to be unique
'00-page-load': function () {

This loads the page we will be testing (Intern’s homepage) then gives it 8 seconds to load before running the next method.
return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)

This loads the page we will be testing (Intern’s homepage) then gives it 8 seconds to load before running the next method.
return this.remote
.get(require.toUrl('https://theintern.github.io/'))
.sleep(8000)

The title of the Intern.io page is the text in the logo. We are looking for the logo class and checking to make sure this class is visible and displaying the correct text.

.findByClassName('logo')
.getVisibleText()
.then(function (text) {


Uses the Chai Assertion to make sure the visible page title says Intern.

assert.strictEqual(text, 'Intern.', ' The visible page title should say “Intern.” ');
})

Ends the most recent filtering operation. In this case it is .findByClassName(). If you do not include the end method your next filtering operation will fail.
.end()
}
});
});

Chrome Plugin

Intern has created a Chrome plugin to make testing even easier. The Intern Recorder plugin helps track user interactions in your browser and translates them to code in the Chrome console under a tab labeled ‘Intern’. The Intern recorder is useful for targeting UI elements and tracking user processes . One of the biggest issues we found in depending on the Intern Recorder is that it relies on Xpath methods from Leadfoot that are not currently supported by IE.

In conclusion

Automated functional testing is a great way to cut down on QA and debugging time. Find the framework that is the most compatible with the code you are writing. If you are working with web applications we suggest Intern. If you need more help setting up your first test here is a link to Intern’s getting started documentation .

Now have fun writing functional tests!

Links

Share this
15 Jul 2016

Angular CLI Preview

The Angular team has announced that Angular2 is in Release Candidate status, so it’s time to get started on learning the new framework and its structure. Angular2 is quite different from Angular1.x, and the familiar JavaScript has been replaced with the newer TypeScript. Transitioning from framework to framework can be difficult enough, but when you throw in a new language, growing pains are sure to set in. However, the good news is that the Angular team has a tool to help you skip some of those growing pains and speed up development for those already in the TypeScript camp. Give a hearty welcome to the Angular CLI!

The Angular CLI is a command line tool that is built not only to help you bootstrap your project, but also to handle the build files, linting configuration, testing setup, and other boilerplate that can consume your precious development time. The CLI can help you with the following tasks:

  • Generation of a base project
  • Generation of components, services, directives and more
  • Generation of unit testing and e2e testing stub files
  • Creation of a build script
  • Serving your project with live reloading of changes
  • Linting
  • Compilation of Less, Sass, Compass and Stylus files
  • Generation of routes using lazy loading
  • Creation of production builds
  • Getting your project on GitHub
  • Plenty more. See the details on the CLI’s GitHub page.

Currently the CLI is in beta, but it is certainly ready for use and pretty well documented. The installation is simple with npm:

npm install -g angular-cli

If you are on Windows, you will likely need to run your command line as Administrator for this to succeed. You may also need to run a separate global install of the typings npm package.

Once you have installed the CLI, all you have to do to generate a project is navigate to the directory you want to create your project in via the command line and enter:

ng new PROJECT_NAME

Then change into the directory the CLI just created and serve the project

cd PROJECT_NAME
ng serve

Angular CLI will compile your TypeScript, start up a web server, and possibly even open a browser tab to show your application. (Otherwise it will tell you the URL to launch) Super easy!

This generates a whole host of files for you, including the .ts file for your component, the HTML for the page and the components templates, and the CSS files for those as well. On top of everything needed to actually compile and run your project, it also has created the hooks for you to start creating tests for your application using Karma or Protractor.

If you want to use Less or Sass rather than straight up CSS, all you have to do is change the file extension of the CSS files the CLI generates for you to be .less or .sass and the ng serve command will cause those to be compiled into CSS.

The next step is to start creating some components to go in your application. Of course Angular CLI has you covered there too. Instead of having to spend time memorizing the format for a component file and debugging your typos, you can just use the CLI:

ng g component new-cmp

Or, this, if you’re not into that whole brevity thing:

ng generate component new-cmp

That again will generate all the boilerplate TypeScript, HTML, and CSS necessary to get your Angular2 component bootstrapped. It is up to you, however, to import your component in the right places where it will be used. The CLI isn’t that magic yet.

The CLI also can help you take advantage of the lazy loading by routes in Angular2. By default, when you generate a route in the CLI, it creates a route that will only load its required components when that route is activated. This saves you the upfront cost of loading components up front that a user may never visit. Of course, you may also want to load everything up front so route changes are quicker. You can of course toggle the default lazy loading off:

ng generate route my-route --lazy false

When you’re done with your coding and it’s time to build, not only can the Angular CLI handle your build process, but can even do some deploying. ng build will compile everything and move it into a dist directory. ng github-pages:deploy will create a repo for your project on GitHub and then deploy the build using GitHub pages. Granted you will have to make sure you have the tokens and ssh credentials set up for such a deployment, but the fact that Angular CLI can do all this out of the box is pretty amazing.

If you’re looking at Angular2 and wondering whether to put the effort into switching to the new framework, the Angular CLI will hopefully help you make up your mind by saving effort and keeping you from getting tripped up on typos or stuck scripting methods to serve up and compile your code. The Angular CLI is a powerful tool to help you get up and running on your way to Angular2.

Share this
16 Dec 2015

A First Look at Project Comet

2016 is just around the corner so we decided to do a bit of research to see what kind of exciting new changes in the world of UI/UX we had to look forward to in the new year. We found a lot of the usual New Years talk about upcoming design trends and predictions, but one thing in 2016 stood out from from the rest: Project Comet

read more
Share this
02 Oct 2015

Material with LESS

In this post we are going to create a dynamic style-sheet that can be altered to fit any web application project while keeping inline with Material standards. This project is a great way to familiarize yourself with Material design while creating a style-sheet that can be recycled over and over again to create unique looking designs by just changing a few lines of code.

read more
Share this
24 Sep 2015
16 Sep 2015
10 Sep 2015

Getting Your Feet Wet with Angular Animations

Imagine you get into a car start the engine, touch the acceleration and go from 0 to 60 in the blink of an eye. You then take the wheel to turn right and instead of a smooth turn the car takes an immediate 90 degree turn.

This is how interface design feels without smooth transitions. It works, but it does not feel natural to the user. Animations can give your design the illusion of depth and lifelike motion, creating a more 3D space and giving the user the feeling of being inside the design.

read more
Share this

© 2017 RealEyes Media, LLC. All rights reserved.