IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [architecture]

104 questions
5
votes
2 answers

Do I need OAuth to pass an API key of a service (now it is passed via copy-paste)?

I have a web application, say http://web.app/. It is local for every given user and accessible without authorisation. It uses an API of a service https://service.app/. The user can log in to it and see his API key. The user just copy-pastes it from…
shukshin.ivan
  • 103
  • 6
4
votes
2 answers

How does processor architecture affect password hashing speed?

Does hashing speed vary significantly using different architectures (x86 vs ARM)? Scenario I am investigating the possibility of using a cluster of Raspberry Pi for cracking passwords hashed with bcrypt or scrypt. As the Raspberry Pi use a CPU chip…
user10211
4
votes
2 answers

Dirty and clean interface on DMZ gateways

We have a webservice border gateway in DMZ which handles incoming and outgoing webservice requests in terms of authentication and security. We have two network interfaces in place, on is called 'dirty' and is used for traffic to and from the…
pfust75
  • 425
  • 7
  • 9
4
votes
3 answers

Is web application connected to a database via an application server more secure?

I have heard from my colleagues and some other people on web suggest that it is more secure to run this configuration: Web server -> Application server -> Database, than this: Web server -> Database The reasons that if an adversary takes control of…
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
3
votes
1 answer

Theory about split data in several isolated (different physical server) DBMS to gain in security?

Suppose the following scenario: 1- A web app (on WEBSERVER1) and its database (on DBMS1) having very sensible information deployed in the same physical server (lets said that for simplification). Users interact with the the web app under the…
user30395
3
votes
1 answer

Designing a secure information system

Could someone please provide me with some guidance for a system I am designing... A general overview of the system is that it is to store information on staff and "customers" - this information must be completely secure as it is highly sensitive!…
Sam
  • 210
  • 2
  • 6
3
votes
1 answer

Propagating user context between microservices secured with M2M JWT tokens

We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow). We do this for all communications between…
Spongeboy
  • 151
  • 3
3
votes
2 answers

How does a security countermeasure failure impact a system?

In the context of safety-critical systems, such as transportation systems, it is important to verify if such systems meet/do not meet safety requirements. ISO26262 expresses these requirements as a maximum number of failures per hour of operation.…
Jean Oudot
  • 31
  • 2
3
votes
4 answers

Added security risks that come with 3-tier software architecture

Are there any added security risks that come with using a 3-tier architecture such as MVC in a software project? I got asked this today, and my gut reaction was "I don't see why there would be." After some consideration, I decided that I don't…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
3
votes
2 answers

Is authentication + authorization a good idea at gateway level when using microservices?

I have this simple design: --------- ------------- ----> Queries ----> Gateway ---- RPC ----> Microservices --------- ------------- I am thinking of having the gateway handle…
Rad'Val
  • 131
  • 3
3
votes
1 answer

How does a smart card work?

My understanding of smart cards is that they are a complete system on a chip. I.E. they have a processor and memory and can perform calculations independent of the system that is communicating with them. I few questions: What type of microprocessor…
Shrout1
  • 365
  • 1
  • 5
  • 11
3
votes
1 answer

Self signed SSL certificate in multiple devices - Is this secure enough?

We are trying to design a solution where we have several Smart devices and we can control every smart device from multiple phones. We will generate a Self-signed SSL Server Certificate and embed that in all the smart devices. And we will include the…
AndroidDev
  • 143
  • 1
  • 5
3
votes
1 answer

What are the new risks of using hyperconvergent systems?

There is a trend called "hyperconvergence" where computation, storage and network are all in the same system. I think that this is a step back (everything again in the same machine, like old times) but it is supposed to be better for…
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
2
votes
2 answers

Using separate HAProxy and API tiers, how can I ensure a request came from HAProxy?

I have two machines and a HAProxy machine doing SSL termination and accepting client certs successfully. How can I configure HAProxy to ensure that the messages coming into the API box are from HAProxy itself, and not from a third party? These…
Paul42
  • 21
  • 2
2
votes
0 answers

If someone hacks our server, how can we prevent them from decrypting data stored in Vault?

I have been tasked with evaluating Vault in our company and the first question asked by an architect was: If someone hacks our server, how can we prevent them from decrypting data stored in Vault? Due to my limited knowledge of Vault, I am unable…
user77572
1
2
3 4 5 6 7