How to secure your AWS Instance & Protecting its contents.

Every second somewhere , some company has lost their 2 yr worth Data , Code, Intellectual Property or 3rd party license to some unknown Hacker !      – So how do you intend to protect it ? 


Securing your AWS
Securing your AWS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here are 5 simple rule(s) that will help you the bend on road without falling off

  1. Validate your Inbound Ports♦

    Port 22 is the most useful port for entire development community, Yet This is major backdoor for all Hackers to steal the data in minutes. So the only way to ensure this is by having an INBOUND IP RANGE / PARTICULAR IP have access and not the entire WEB !

  2. Admin Module of Web logic / Tomcat ♦

    Admin modules can help you deploy the code / change root paths / change datasource properties at ease, Remember this is the same for hackers as well. All those default Users in tomcat-users.xml or weblogic-users.xml have a default password and hackers are more aware of this ! So first things first  :

    a) Change the username and password for all the default accounts as first thing, disable all unwanted roles and privileges that aren’t used.
    b) Once App goes to Testing – DISABLE MANAGER / ADMIN MODULE.  COMMAND LINE DEPLOYMENTS ARE ALWAYS SAFER

  3. Set up a Passphrase for the Private Key and Safeguard it.

     Always having a passphrase / passcode to prviate key is an extra bit of security to the entire gamut.  Remember A Good Front Gate can stop many things to for attempting get inside.

  4. Your Database

    Hackers don’t get into our AWS server to look into our coding practices / vulnerabilities, they are here to exploit, violate and most importantly STEAL the DATA from us.So here are top 3 things we should do to safe gaurd our data:

    1. Customer Schema should have be encrypted (Data At Rest and Data At Motion)
    2. Passwords should never be able to decrypted – they should only compared (the decrypted values)
    3. Not Storing the PASSWORD to the DB as Plain Text in your application.properties or db.properties [If they are encrypted and stored in your .class or .mdb files of your .Net Applications] they are safer.

  5. Application Hygiene

    1. Passing of form data in the url (eg: http://myapp.com/customer_id=1023) – Boom !! You are lost in the woods already, Many Fortune 100 companies have lost there data atleast once because of this poor development habit.

    2. Showing Complete Exception details on the screen i.e. Showing the technical details of the server , database , table name on the screen during an exception.

    3. Most Importantly : Text Fields should know what they are meant for and should allow only those text characters only, Special Chars and SQL Injection poses as the No # 1 Threat.  Recently a FMCG company lost 100K Customer information when their forgot password (email text box) as simple as it.

 

Thanks and Stay Tuned for More – Techuva Solutions Pvt Ltd.

10 Useful TIPS for a Faster J2EE Application !

Why is your app slow ?

Ever felt your application should be more faster and responsive ?

So here are 10 things that can help you make your application faster !

                                                   

  1. Know your Queries !
     The most resource intensive section of any application is the DATABASE ! its the slowest of all – remember DB is always FILE IO (Okay, Unless you deal with in-memory database or SAP HANA or MapR). So this is a great opportunity to tweakeg: if you wanted to access the last X records

                                           SELECT id FROM Order WHERE … (Fetch the last X Records)
And then I’d execute one query for each record:
SELECT * FROM Order WHERE id in (Results from your first Query) ?

            this is roughly 20-30% less IO , Processing Cost on your DB Server Head.

      2. Not using DB Connection Pool
           Remember ! every time you do a class.forname( com.mysql.jdbc.driver )   Your JVM has done a reflection and loaded the class on memory and trying to get you a connection !! this takes roughly a second, So better use the connection pool and set the initial capacity = 10 and roughly have 1 connection for every 5 concurrent user or 1 per 25 to 50 users (active during that hour). So roughly a 100 user app will need around 10 connections in the pool to keep your business running on a summer day.

 

     3.   Calling the GARBAGE Collection Explicitly
             This is an another costly stuff ! every single time when the full GC (Garbage Collection) runs it stopped processing all the threads until its done… which means – if that runs for 3 seconds… all the users on the application or server are FROZEN for those 3 seconds…  that poses a terrible user experience.

So in order to avoid this reduce the scope of all the variables to local / function level variables – this will eliminate so many variables remaining the memory even after they are used.

Another TIP is : After you have used a variable and you don’t need it anymore – then de-reference it by making it point to null.

In a modest 2-3 gigabyte  heap this might be 3-5 seconds, but if you are running a 30-gigabyte head this   could be more on the order of 30 seconds

    4. Concurrency Issue :
           Its always a developer nightmare – when 2 threads are pointing to a same shared resource and they result in deadlock.

Few Developer Nightmares :

• Thread deadlocks
• Thread gridlocks
• Thread pool sizing issues

Code deadlocks occur when two or more threads each possess the lock for a resource the  other thread needs to complete its task and neither thread is willing to give up the lock that it
has already obtained.

At Database level, Deadlocks happen when a thread is trying to update a record and an another thread is trying to read it ! or 2 threads are trying to update a record and both fails at a point.

Synchronised blocks  is normal culprit and has to be dealt properly. – this can use unexplained stuck threads and resulting in performance delay and data inconsistency etc.

           Tip: Way to get over ! you mostly see stuck threads in production (since its v.hard to reproduce).. enable thread dumps and evaluate them in detail and understand bottle necks in the code and de-congest them to avoid the deadlocks.

 

5. Overuse of HTTP Session
          Since HTTP Session is the easiest way to carry objects from 1 module to another…Developers over-use this function…  and it always becomes and pain at the end of development or in production.

So there has to be utilities written to understand what objects lies hidden in your JAVA Session and clear them explicitly  once the user left a module to another module or when its no longer required.  Since the HTTP Session gets bloated when there is large number of concurrent users – it can bring down the entire application “java OutOfMemory Exception ”  does that sound familiar name to you ? Oh yea – In several developer’s case… Including mine in the past.

         Tip: Use In-house Utilities to dump the HTTP Session variables and determine which has to removed at the exit of what modules.

    6. String Concatenation
                    Not a serious offence ! remember all those places where queries are concatenated by + symbol…. if there are more than 10 lines – String is 2X costlier than string buffer
and you have 100-500 users… all those 2X difference is going to make a serious impact.

So as a standard practise : Use String Buffer for all queries / concatenation needs instead of string.

   7.  Not using JSON for webservices
                   Now it has become a standard for folks to user JSON instead of SOAP XMLs ! thanks to all Angular JS / Metorite / NodeJS etc.   JSON is upto 10 times lighter than SOAP Webservices (period).

e.g: a employee web service which carries 50 fields and its values in XML world its around 50-65 Kb of data transfer and in JSON case its 5-9 KB of data

Tip  : If you have options – move to JSON for performance and use a proper parser on the front end.

 

     8 .  Compression of those JS
         Remember those JS from Angular and jQuery the min versions…. they have been stripped of their empty spaces … they have been done for a reason .. a 200 KB JS file when compressed and minified – its only around 30-40KB

Tip : Wherever possible : minify the JS file for Production and have a normal version for development and debugging ! – Bingo serves both purposes.

    9 .  Optimising the UX-Views
            A simplified UX is always quicker , swifter and has better navigation experience. So introduce JS based sorting on the screen instead of DB hits / Use of Stored Procedures or Views instead of Queries for VIEW only / Data Fetch areas – Remember they are pre-compiled – hence more faster.

   10 . DB Optimisation

Simple difference of an hitting a table with index which has more than 100,000 records (on MySQL DB) is upto 60 to 90 % faster.

1) does your tables have indexes on most columns that you use for searching like employee_id, employee_name, age, city, status (of employee table).

2) do you have triggers enabled on large tables which are been modified very faster ?

3) If an your query takes more than 6 seconds – rule 1: it should move to stored procedure or a view and validate all indexes. remember MySQL can read 100,000 in 1 second.

4) Java Controllers are FASTER than JSP (since they are already compiled) so have your logic written on either in the query or controllers instead of JSP

 

Thank you ! Stay Tuned for More…..

-Techuva Solutions Pvt Ltd.

Migrating to Cloud ? First Steps !

 

Moving to a Public Cloud (AWS) ? First Timers .. Here is some cheat sheets !

 

  1. Migrating to AWS ?

    Have you tried the free Micro Tier ? That gives you 1 full-year free ownership on 1 server (micro). Use that to learn AWS and Deploy your first app.

  2. Setting up Tomcat 7 or 8 on your EC2 Instance

    Download the PEM File and use a putty-gen (downloadable exe) to create your Private Key, Use the private key to connect to your AWS Instance.
    Remember to save your private key and pem file for future references.

    Installing Tomcat via YUM Installer on your AWS Instance

          sudo yum install tomcat7-webapps tomcat7-docs-webapp tomcat7-admin-webapps

This command installs tomcat 7, admin app, manager gui as well.

Next step is to go /usr/share/tomcat7/conf/tomcat-users.xml and uncomment last few lines and set a password for the roles.

<user name=”admin” password=”admin12345″ roles=”admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status” />

      3. start / stop your tomcat

To Start the Tomcat Service :                                            sudo service tomcat7 start

To Stop the Tomcat Service :                                            sudo service tomcat7 stop

To Add Tomcat Service to Auto Start :                           sudo chkconfig tomcat7 on

For F-Secure / SSH Client – give all permissions   eg:  sudo chmod -R 777

     4. To add tomcat port to the AWS open list :

     5. Connect to the instance by public DNS name on port 8080.

     6. You are done with your tomcat on AWS !

     7. Go the browser and access the port 8080 (http://your aws public ip :8080) , and you the manager application to deploy your first application

What is SQL Injection & What are steps to fix it ? – most common problems of e-commerce sites

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

How SQL Injection works

In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.

In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.

The following server-side pseudo-code is used to authenticate users to the web application.

app_user_name      = request.POST[‘username’]
app_user_passwd  = request.POST[‘password’]

# SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement database.execute(sql)

 

The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.

The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.

A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR setting an inner query to (delete * from users) 

This would result in the query to be executed and data can be corrupted or manipulated.


What’s the worst an attacker can do with SQL?

SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can be used to access, modify and delete data. Furthermore, in specific cases, an RDBMS could also run commands on the operating system from an SQL statement.

Below are few things an attacker can inflict serious trouble to any organisation :

  • An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
  • One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
  • Since web applications use SQL to alter data within a database, an attacker could use SQL Injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.
  • SQL is used to delete records from a database. An attacker could use an SQL Injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an application’s availability until the database is restored.
  • Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server. Given the right conditions, an attacker co

An SQL Injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query.

In the example below, it shall be assumed that the attacker’s goal is to exfiltrate data from a database by exploiting an SQL Injection vulnerability present in a web application.

Example on how to avoid SQL Injections 

Default Example : 

String name = //user input 
int age = //user input 
Connection connection = DriverManager.getConnection(...); 
PreparedStatement statement = connection.prepareStatement( "SELECT * FROM people WHERE lastName = ? AND age > ?" ); 
statement.setString(1, name); //lastName is a VARCHAR 
statement.setInt(2, age); //age is an INT 
ResultSet rs = statement.executeQuery(); 
while (rs.next()){ //... }

Now the above code can be violated by executing like name = (update employee set password=’123′)   or name = ‘delete * from employee’   – this could completely put things at a toss

Safer Approach :

List<Person>; people = //user input

Connection connection = DriverManager.getConnection(…);
connection.setAutoCommit(false);

try

{

             PreparedStatement statement = connection.prepareStatement( “UPDATE people SET lastName = ?, age = ? WHERE id = ?”);
for (Person person : people)
{
statement.setString(1, person.getLastName());
statement.setInt(2, person.getAge());
statement.setInt(3, person.getId());
statement.execute(); }
connection.commit();
}

catch (SQLException e)
{
connection.rollback();
}

So these design and coding principles have  to applied during intial phase of the project so every sprint or every iteration code gets better and better.

-Tech Team from Techuva Solutions 

Why IoT? Three big reasons from a customer centric view

You may have read how different companies and different business models are applying Internet of Things (IoT) concepts to transform their business. Their deployments reflect the bottom-line impact that is possible with advanced IoT initiatives. For instance, Automated Light System Introduced by developers in large establishments have reduced their power bills already by 20% and Auto Makers have moved ahead and they provide features to mirror their phones to into the Car’s infotainment system without any wires / plug-ins.  Hospital Patient Care Remote Monitoring has helped several post operative care patients.

 

And while there’s much to be learned from advanced players in IoT with complex concepts and solutions, there is also plenty of opportunity for companies that are just starting out with IoT. When you look at new IoT deployments in this emerging technology landscape, there are three key business fundamentals where companies of any size can gain.

e.g.: Hyderabad based IoT Technology startup “Techuva Solutions” today apply IoT solutions in different areas like

1) for monitoring Cell Towers in India about their Temperature , Humidity and Co2 PPM Levels, Intruder Alerts automatically via email / sms / automated calls to different field techs.  This is centrally controlled by Administrator Dashboards – monitoring several parameters.

2) Centrally Controlled and Monitored Mushroom Farms : Where Temperature and other 3 critical parameters are captured and events and notifications are generated directly from the cloud based systems to the farm owners / administrators.

… several more use-cases for monitoring Heat Exchanges (in-bound channel, out-bound heat sinks) , Prototype for measuring Air Quality and 15 other parameter automation / notification for private real estate developer etc.

So IoT essentially helps on :

No. 1: Reduce costs

In most industries, it’s easier to save on expenditures than to build revenue, and the same principle holds true when it comes to building value with IoT. So it shouldn’t be too surprising that creating efficiency and reducing the costs of doing business was the number one answer customers gave to the question of what they think they can gain from IoT in our recent study by Keystone Strategy*.

For companies struggling to streamline their vision for IoT and focus on the fastest time to value, reducing costs provides the shortest path to success. With ROI realizable within the first year, cost reduction is also one of the most influential ways for business group leaders to drive alignment when board approval is required for their IoT investment.

 

No. 2: Increase revenue

Increasing revenue is another big reason companies are looking to the Internet of Things today, but because it often involves building out the organization to accommodate the new business, it generally takes longer to realize ROI from the effort.

The rewards, however, can be substantial, and we’ve seen several customers leverage their initial IoT work into new services that can be added on top of products to generate post-sale revenue streams.

Remote monitoring and predictive maintenance scenarios are a prime example.

 

3: Transform the business

Over last 1 year, few of our customers have told us that transforming their business was a key goal at the outset of their IoT initiatives, but many adopters have said they now see the potential for a data-driven transformation arising from their efforts.

The most common scenario for such a transformation is the ultimate maturation of additional revenue streams into a new business division,  Many companies are no longer selling equipment, but uptime, which is what their customers care about most.

Down the road, as more companies think through the application of IoT principles in their industry, there is the potential for this approach to be a truly disruptive force across many industries. It wasn’t long ago that nobody would have imagined a fleet of taxis carrying GPS devices connected to a central user app could revolutionize mass transit, but today it has.

 

Thus IoT is not an technology adoption ! its game changer for tomorrow.

– Techuva Solutions Pvt Ltd

6 Developer Friendly Ways To Strengthen Web Application Security

 

6 Developer friendly methods for better Application Security :

 

Nobody wants their Web application to get hacked even in their dreams, But there is more than 100+ breaches happening any given hour world wide. Here’s how to get serious about secure apps development.
1. User inputs are the first weak link  Everybody should understand that user inputs are not your friend,” Today, many sites accepts many different types of content from users, including text, images, and uploadable attachments. But all of that user-supplied content also can be used by a crafty hacker to try and exploit the underlying Web application. Accordingly, “the more user input you’re going to be collecting, the more work that will potentially need to be going into securing this input,” This means Developers should make things better enforced.

 

2. Understanding vulnerabilities which can compromise thingsHere is the most common list of vulnerabilities :Crucial ones are : SQL Injection , Cross Site Scripting (especially with MicroSevices and Webservices) this poses as the #1 risk.

OWASP Web Top 10 for 2013.png

 

3. Don’t customise security It’s very essential to have the list of approved security controls that will mitigate every exploit in the OWASP top 10, Now the top 10 is not an exhaustive list of vulnerabilities, but if you do that, you’ve at least gotten your fundamentals straightened out

 

4. Applying security controls consistently

        Rule 1 : To be secure, we have got to be consistent. An attacker, only have to find the one place where you don’t have a security control, and that’s the one place you’ll be attacked.” Preventing that from happening means applying security throughout the development of your software, “and that requires securing the software development lifecycle, or SDLC. Tools like HP Fortify , SonarQube helps to find vulnerabilities during development stage itself.

 

5. Share the best practice Key to succeess is not having to re-invent the wheel everytime a team is doing a new project, Common Security Practices have to templatized and be used company wide, Security CoEs ( Centre of Excellence) of Focus Groups helps to share the knowledge.

 

6. Security Controls in Open Sources / Different Languages Every Programming language is different and so are the security controls too. That goes for PHP, Java, .NET, or any other language being used. Each has its nuances, and some will offer better out-of-the-box security, but the important step is to ensure that everyone involved in building and approving a Web application understands how to stop exploits such as SQL injection and cross-site scripting attacks, and has the right development or code-checking tools to help.
Success to web-application security starts from the design phase. “It is not a separate module” – it’s part of every function, modules and query !

–  by Techuva Solutions Pvt Ltd

Reasons to integrate in-app messaging with your mobile commerce

44% is the average engagement rate that high-performing apps receive from in-app messaging. For medium-performing apps the rate hovers around 26%. Push notifications earn a modest 12% average engagement rates. The writing is on the wall. In-app messaging bears far more engagement and conversions than push notifications or other channels of customer interaction.

What does in-app messaging do?

In-app messaging has troves of capabilities that will enhance the converting capacity of a mobile commerce app. Some of the tasks it can get done include:

  • Creating a direct connect with app visitors
  • Seek attention from customers better than push notifications
  • Provide accurate product suggestions, reviews and user assistance
  • Seeks feedback from customers for fine-tuning app performance

Benefits accrued from in-app messaging

Only 35% of global brands are using in-app messaging solutions. And, they are the ones who are winning 3.5x of customer retention rates than rest of the world that doesn’t use in-app messaging.

When combined with other channels of marketing, in-app messaging can compound customer interest in a brand and lead to higher conversions. Directly and indirectly, in-app messaging bestows some benefits that help multiply sales. Below explained are some of the benefits that business owners can reap.