Center for Applied IT launches new online tool for Maryland’s 1200 veterinarians

May 21, 2012

Timothy

Maryland’s veterinarians will have an easier time renewing their licenses this year – because for the first time they will be able to renew them on line.  This month marks the opening of a new website that will allow Maryland veterinarians to renew their licenses by submitting the required information and payments.  The website was developed by DECO’s Center for Applied Information Technology (CAIT) and the Maryland Department of Agriculture, which is the state agency charged with licensing and regulating Maryland’s over 1200 veterinarians, as well as veterinary technicians, and veterinary hospital facilities.

The website can be accessed by veterinary professionals using an address that is provided with their license renewal information.  Once they are logged into the site they can update required information that is associated with their license, and make a payment using a credit card.  When the information and payment are submitted the payment record is processed and the license renewal is recorded.

The new internet application was primarily developed by Genna Melamed, one of CAIT’s application developers, who worked closely with Courtney Stevens, a software developer at MDA.  Genna leveraged experience he has gained during his decade working on CAITS projects in support of numerous other state licensing and regulating agencies such as the MVA.

Genna used Microsoft .NET based technologies to develop the application and supported it with a SQL Server database.  Working together with Courtney, a data synchronization process was developed to keep the applications data base coordinated with the master veterinary database maintained by MDA.

The application has been online since earlier in the month and has already been used by several veterinary professionals for license renewal.

Leave a Comment » | IT | Tagged: , , , , | Permalink
Posted by Timothy Brooks

What does “platform” really mean when it comes to IT?

April 2, 2012

Timothy

The “IT” definition of a platform is very similar to the traditional one – It is a foundation software system which supports and provides services to other programs.  Those programs are said to be “built upon” the foundation software or “platform”.  That supported application may well be a platform for another application and so on up the line.

 

The lowest level of platform that is likely to affect most people is the choice of an Operating System.  An Operating System (OS) is a program (more accurately a group of programs) that performs low level chores such as handling keyboard and other input managing the screen display and providing access to devices such as disk drives, printers and network interfaces.   The OS also presents the basic user interface that allows human users as well as other outside processes to interact with the computer or any other microprocessor based device.  It is, in effect the devices “personality”.  In the PC world early examples of Operating Systems would include Control Program/Monitor (CP/M) from Digital and Microsoft Disk Operating System (MS-DOS).  Contemporary operating systems include LINUX, iOS, Windows, Android, UNIX, and others.

Like other software platforms, different operating systems provide the same sort of services; however they often provide them in different ways and communicate through different protocols.  These differences are reflective of the difference of the processor chip they are designed to be run.  As an example, some operating systems communicate with users by means of a visual user interface using point and click tools such as a mouse or a touch-screen.  Others communicate through commands which are typed in from a keyboard.  A program that required a visual interface would be much easier to implement operating system such as iOS or Windows which provide services.  Conversely a program which communicates with users in a much simpler fashion, such as the programs that allow the dashboard clock in a car to be set, only need to react to a couple of buttons and would be able to get everything it needs from a streamlined OS.

As we said earlier, software platforms often support other platforms.  Types of software that can be thought of as platforms include Web Servers such as IIS and APACHE, database servers such as Oracle and DB2, Content Management Systems (CMS) such as Drupal and DotNetNuke and other software that enables or supports the operation of other programs.  These different layers of platform software are sometimes referred to as a “software stack”

As an example of this, a program that performs some function on a computer or other device, for like  allowing users to log-in to a web site, is written to expect that some sort of data service, and web server are available for it to use to store and retrieve data and to present its output as web pages.  The data service assumes that a database is available to evaluate and respond to its requests.  All of these components require services provided by the operating system.  Individually each piece of software is a platform for the ones above it; taken together they represent the software stack used to provide the required function.

Many software packages are required to run on several different platforms, which means that versions must be developed that provide identical functionality on different operating systems or when being supported by different databases.

A good example of this is mobile applications.  A program that has been written to work under one mobile operating system, for example Android, must be written differently in order to work under iOS or WindowsPhone.  This means that choice of platform and support of additional platforms are decisions which should be evaluated from several perspectives.

In a commercial software development effort the choice of platform is often based, at least in part on marketing decisions in an attempt to develop a product that will run on platforms which have a large number of users in order to have a large potential market.  In the case of “in-house” development efforts, where a company or group is developing software for their own use, decisions about what platforms to use to support the application must take into consideration long term IT strategies and the impact of support and training required to introducing and support additional technologies.

At this point I have to acknowledge that, in some circles, discussions of the comparative strengths and weaknesses of various platforms have a dogmatic nature.  As this series of articles progresses please understand that I am not presuming to compare or evaluate any of these technologies or the development strategies and design patterns that they support.  It’s kind of like the traditional call and response between a customer and a waiter where the customer asks “What’s the best thing on the menu?”, and the waiter’s canonic reply is, “…it’s all good.”  My own philosophy is that “The right tool makes the right task successful”.  That is to say that all of these technologies exist to support applications by providing required functions.  Choosing an appropriate platform for a development project is a key factor in that projects success.

Next time we will continue by looking at some established software design patterns and classic combinations of platforms that support them – unless I think of something more interesting…

Leave a Comment » | IT | Tagged: , , , , , , , , , , | Permalink
Posted by Timothy Brooks

SQL Injection: A Mid-Tech Explanation (Continued)

February 23, 2012

Timothy

Hi – welcome back to our discussion of SQL Injection, what it is and how to minimize an application’s exposure to this threat.  To quickly review from the previous article in November – “SQL Injection is a scheme whereby a hacker uses knowledge of database technology combined with flaws in a program’s design or construction to allow them a level of access to data that is beyond what was intended”.  This is accomplished by identifying user input that is going to be made into parts of a SQL statement that is created “on-the-fly” in the application and entering actual statements in the SQL language which the application unknowingly submits to the database for execution.

The article closed with the observation that there are three rules of thumb to make your database more difficult to access through a SQL Injection type of attack and promised examples of them were to come.

Minimize your exposure.
The single best way to keep an attacker from exploiting the dynamic SQL in an application is to simply not have any.  Most all contemporary database platforms such as Oracle, SQL Server, DB2, and MySQL support a type of function called a “Stored Procedure” (SP).  A stored procedure is a small program that is compiled and stored at the database.  An SP may expect input (known as parameters) which it uses as selection criteria and other input for a SQL statement.

In our context, the biggest difference between a stored procedure and Dynamic SQL is that with an SP, user input is not included in the syntax of a SQL statement that is submitted for execution.  This in itself is a significant deterrent to most SQL injection attacks.  Use of stored procedures can also allow a more robust error handling and easier front end maintenance.

For more detailed information on creating and executing stored procedures (in the SQL Server environment) check out this article at MSDN.

Examine user input.
There are numerous reasons for your programs to apply stringent validation rules to user input.  It just makes sense to do everything we can to make sure that any transaction that is submitted to the database is valid.  This gives us an opportunity to reject suspicious input before it gets submitted for storage or execution, which is the best time to deal with it.  To be effective, input must be examined in the context of what is expected.  If we are expecting the user to enter a basic “zip code” in a field, the field can be developed so it will reject any input that is not a number.  If the field is expected to contain a user’s name then input validation rules for the field will have to be looser, but we still have no reason to expect things like colons, or words like “ SELECT “ to be part of the input.

Be aware then input filtering is a sort of tug-o-war scenario between developers and would be intruders, with both sides keeping abreast of what the other side is doing and reacting to it.  To this end it is a good idea when possible to keep a log of both rejected and accepted user input so you can see what the intruders are up to.  Accepted input can be tracked through normal database log functions, but rejected input will have to have logic in the front end application to log the rejected material at the server for later inspection.

Don’t be too predictable.
The practice of obfuscating data by use of cryptic data and code structures is sometimes referred to as “security through obscurity”.   In a bygone day when the level of computer literacy in the general public was nothing like it is today, this sort of approach was all the security many systems had, or needed for that matter.  Although those days are long gone there is still a case that can be made for not giving database tables and fields names or formats that make it obvious that they contain sensitive information.  If an intruder is looking for a social security number and they find a database field that is named SSN, SocSecNum or anything similar they have had their task made much easier.  Even if the name was less obvious things like a length of 11 characters masked as “nnn-nn-nnnn” wouldn’t take very long to identify.  Imagine however if the intruder was confronted with a social security number that had been distributed between 3 fields that were 3, 2, and 4 characters respectively and were named “IDA”, “IDB” and “IDC”.  This is just a quick example but you can see how this sort of thing would complicate the intruder’s task.

Image Credit: David Castillo

Which Do I Use?
The short answer is, “all of them.”  They all work together to make your application smoother for the user, easier to maintain for the developers, and stronger in the face of potential intruders.

Another reality of data management is the periodic need to stand up to audits, both internal and external.  Whether you work for a public or private sector entity or if you are contractor or a an independent consultant, some of your designs and code will likely have to be audited.  Financial systems, critical records management systems such as those developed for the medical and insurance industry, and security applications can all be anticipated to be regularly audited.

If an application accepts user payments through credit cards (eCommerce) then it will be audited by, and held to standards developed and enforced by the Payment Card Industries (PCI).  These set required security standards for any merchant accepting credit card payments. Any eCommerce applications that you write will be subject to these standards .  Other outside organizations that impose security standards include HIPPA, State motor vehicle and social services records and many others.  Be aware of any security standards that may apply to your application and ensure that the applications design and implementation meet the requirements and that this compliance is documented and as easy to verify as possible.

Many auditors use automated scanning tools that can detect the presence of filtering code in the front end application, but do not have a view into the functions of stored procedures on the server side.  In order to facilitate these scans develop input filters and incorporate them into the front end application.  Other scans may access the database directly and require other sorts of security measures such as data encryption to be visible.

Don’t Turn Your Back On The Bad Guys
Cyber-Security is an ever evolving field.  The arena is filled with new technologies, system architectures and development tools which arrive almost daily, closing existing security gaps, and introducing new ones.  Stay informed. Use the information that you gather.  Periodically review your standard designs and development practices to makes sure nothing has changed to make them inappropriate.

Leave a Comment » | IT | Tagged: , , , , | Permalink
Posted by Timothy Brooks

SQL Injection: A Mid-Tech Explanation

November 21, 2011

Timothy

A lot has been written in the last few years about application security.  One of the most popular sub-topics in this arena has been a scheme called SQL injection.  SQL Injection is a scheme whereby a hacker uses knowledge of database technology combined with flaws in the program design to allow them a level of access to data that is beyond what was intended in the applications design.

A database is a program that manages a repository of information.
A database, more properly a relational database management system, is a process that runs on a computer.  It stores data in tables which are comprised of rows and columns, similar to a spreadsheet.  Each row is referred to as a “record” and each column is referred to as a “field”.
Modern database management systems provide many data functions for manipulating both the data and the table structure.

A database is a program that manages a repository of information.  The database can answer questions and requests for information.
The principal function that most users are involved with is the storing and retrieval of records.  In order to retrieve a record or records, a request command, known as a “query”, is sent to the database.  This request specifies what table the records is stored in, and what the identifying characteristics of the desired record are.  This is similar to asking someone to go to the kitchen, look in the pantry, and bring you the box which has rice in it.

Image credit: jscreationzs

A database is a program that manages a repository of information.  The database can answer questions and requests for information. Questions are asked using the Structured Query Language (SQL).
The SQL language was developed in the early 1970s by IBM but was not used commercially until Relational Systems (now Oracle) incorporated it in the initial release of the Oracle database system.  A query in the SQL language takes the form of several clauses, most commonly the SELECT clause the FROM clause and the filter, or WHERE clause.  Assume a table exists that is called “books” and contains fields named “title” (which stores the title of the book), “publication_date” (which stores the date the book was published), and “author” (which stores the name of the author of the book).  In this case a SQL query that was designed to return the title and author of all books written in the year 2003 would look something like this:

SELECT title, author
FROM books
WHERE publication_date = 2003;

There are other clauses which can be included in our query to do things such as sort the data.  In many programs and more importantly in the processing that occurs behind many interactive functions on web sites, there is a database that is doing some of the work.  A extremely simple example of this would be a web page that allows a user to enter a book title and returns the name of the author and the date of publication.  In order to do this the web page must provide the database with the information the user entered.  This is done by having the web page generate a SQL statement which, assuming the user entered “Ogden Nash” as the input, would look something like this:

SELECT title, publication_date
FROM books
WHERE author = ‘Ogden Nash’
ORDER BY publication_date;

A database is a program that manages a repository of information.  The database can answer questions and requests for information. Questions are asked using the Structured Query Language (SQL).   The database will answer any question asked of it.
It’s that last one that’s a problem.  Presuming that our user has a knowledge of the SQL language and a heart full of evil intentions, rather than an author’s name, they might enter something like “: SELECT * from users;: –“.  The web page will assume that the input is an authors name and place it in the SQL statement making a final SQL statement that looks like this:

SELECT title, publication_date
FROM books
WHERE author = ‘: SELECT * from users;: –‘
ORDER BY publication_date;

What has actually happened here is that the first character in the users input (the colon) is how individual requests in a SQL statement are separated from each other.  The SQL statement now contains three queries for the database to answer.  The first query:

SELECT title, publication_date
FROM books
WHERE author = ‘:

is an incomplete statement and can be anticipated to cause an error message to be returned from the database.  Just for an example let’s say that message is “SQL Syntax Error (#71421)”.  The third query:

–‘ ORDER BY publication_date;

will be ignored because the two dashes that begin the statement identify it as a comment that is not intended for execution.  It is the second query:

SELECT * from users;

that contains the threat.  In this example, assuming the existence of a table named users in the database and contains fields for the name and password of each user of the system the web page that was intending to display a list of books by a certain author would actually display something like:

SQL Syntax Error (#71421)
Joe                   MyPassword
Elizabeth         HerPassword
Dan                  TopSecret

If there is no table named users, “…well, maybe they called it ‘passwords’ instead”, thinks our hacker and tries again.  He will ultimately be able to access any data in the database that the application he is using as a conduit can access.

How can I prevent this stuff?
There are three rules of thumb to make your database more difficult to access through a SQL Injection type of attack.

First, minimize your exposure. The attack described here is deliberately simplified in order to clearly show the problem.  The technique of assembling a SQL statement from a combination of static text and user input is called “dynamic SQL”.  In many situations this dynamic SQL can be replaced with a database function called a stored procedure.  In a stored procedure user input is supplied in the form of parameters that are referenced by the function but are not included in the actual SQL statements that are executed.  Thus an attacker will not have a way to submit SQL queries of their own design to the database for processing.

Second, never, ever trust user input.  Include routines that examine the input looking for characters (such as colons) that are not expected.  Very few authors have colons in their name.  Other phrases and punctuation should also be looked at with a grain of salt.  Input that is anticipated to be numeric should be checked to verify that it doesn’t contain any text.  This will strengthen the application and prevent input errors caused by innocent typos on the part of the user.

Image credit: Salvatore Vuono

Third, don’t be too predictable.  Avoid table and field names such as “password” or “SocialSecurityNumber” or table names such as “CreditCards” in your database.  Such names simply shout “I contain sensitive information” to an attacker.

SQL Injection, and secure application design are large subjects.  My next blog will take a more in-depth look at each of these techniques and discuss where and how to use them to protect your applications in production.

1 Comment | IT | Tagged: , , , , | Permalink
Posted by Timothy Brooks

Timothy Brooks: What I Like Most About My Job

September 12, 2011

Timothy

In the process of establishing myself as a new contributor to the DECO blog, I was asked to give answers to some questions that the blog managers will use to put together a profile.  There were a page full of questions, a number of which pertained to personal trivia, but there was also a question that caused me to ponder something that I hadn’t given much thought to for a while.

The question was “What do you like most about your job?”  The anticipated answer on the questionnaire was a sentence or two, which was what I wrote there.  But I would like to take this first writing opportunity to answer the question more fully, because I think it will provide a perspective for further articles.

What do I like most about my job?  Since I am approaching a decade with the organization there must be an answer to the question.  It was obvious to me that there had been many projects which I had truly enjoyed because of some challenging technical aspects.  I’m a computer geek, that’s what we like.  But the challenges that I have found inspiring and that have brought out my best contributions were the ones that focused our organizations unique potential to fill a true need.

During my time with the software development group of DECO our name has changed several times, but the focus has remained the same, applied information technology.  Applied IT means using existing and emerging technologies to solve defined problems and meet established needs.

The first project that I worked on when I was starting with the group was aimed at providing interactive website technology to several Maryland state agencies.  Access to this technology allowed the agencies to make information and transactions from their existing data systems available on an intranet.

Image credit: jscreationzs of FreeDigitalPhotos

The same purpose driven use of technology has been the core of one of the most recent projects I have been involved with as our group has worked with Dr. Jonathan Lazar from Towson University’s Computer and Information Sciences department in his efforts to develop and test a CAPTCHA challenge that is accessible and achievable for blind computer users.

There have been many other projects but the pattern remains the same, technology to solve problems and enable people to do more things, more easily.  I like my job because I find that rewarding.

Leave a Comment » | IT, Projects, TU Faculty & Staff | Tagged: , , , , , , | Permalink
Posted by Timothy Brooks

Follow

Get every new post delivered to your Inbox.