-1

We have a developer debugging tool to help manipulate security section of a database that our product depends on. This tool's purpose is to inject state into database to reduce time to create test scenarios. The database is not typical database that one can manipulate using sql. Rather it is a binary file that only our tool can manipulate. This is a C# application.

If this tool goes outside our company (say someone emailed it to a customer who shared it somewhere public), that could open lot of security issues. We like to build intelligence into this tool so that it is usable within company or at partners network with whom we shared the tool. We have no knowledge of partner's network.

I am wondering what the suggested ways of implementing it?
Like:

  1. Ping company active directory server or exchange server. Allow the tool usage if you can reach one of these servers.

  2. Package a certificate with the tool that expires a month from build date. Always check if the cert expired or not before allowing usage of the tool.

  3. Modification of (2). Make every user to request a key to unlock the tool after specific date.

Before we go implement a solution, I am wondering if there is already a library that does this.

Thanks

videoguy
  • 1,732
  • 2
  • 24
  • 49
  • 3
    If all the tool does is manipulate the db, there is nothing stopping any of your protections from being defeated. The real question is: why is your DB accessible to this kind of manipulation? – Jonathon Reinhart Jun 18 '15 at 03:05
  • It is not typical database that you can access using sql. Better description is that it is a binary file that only our tool knows how to read and write. – videoguy Jun 18 '15 at 03:13
  • 1
    Sounds like you need authentication... for this tool as well as normal usage. – Jason P Jun 18 '15 at 03:18
  • ...until someone gets a hold of the tool, and reverse-engineers it, disabling whatever weak protections you come up with here. – Jonathon Reinhart Jun 18 '15 at 12:20

1 Answers1

0

Assuming you host "file" inside your organization and all parties just access it somehow. If you give both data and tools to modify it to external partners there is nothing really to stop them to modify data as they pleased (short of legal/administrative actions but that is outside of SO scope).

There is also really not much you can do to protect code running on user's machine irrespective if it is C# or native compiled code. .Net code is a bit easier to modify/bypass protections but if you concerned about securing access to a file you need to protect files/servers rather than worry about client side code.

Usual solution to such problem - authentication and authorization: only allow authenticated users to access the file and only accept changes from authorized users.

If you use file based storage than inside your organization regular Windows domain accounts would work for authentication and regular file system permissions would work for authorization.

For outside partners you probably would need server to perform modification of the file(s) and authentication/authorization possibly using ADFS or Oauth.

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179