Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I currently have a desktop app written in Java (Swing) which talks to a C-based

ID: 654755 • Letter: I

Question

I currently have a desktop app written in Java (Swing) which talks to a C-based backend over SSL. I am trying to understand the pros/con from a security perspective to move to a web service model. There are multiple business and engineering reasons to do it but our business data is very sensitive, so security trumps the other reasons.

I hear about Java security patches every other week it seems but hear similar things with web browser/server exploits. For the web services model we would plan to use node.js running in a docker to isolate it. It would be talking to redis and/or postgresql only.

Explanation / Answer

Well does your app actually need to hit the open internet ? or can it simply exist on a company intranet?

The majority of 'java exploits' are simply ways that java's sandbox can get broken out of and of little consequence to legitimate java applications since it is really a apples and oranges comparison.

The majority of 'browser exploits' are of a similar vein (gaining access to a system or other data in the browser, by breaking out of the browsers sandbox. ) Chrome helps a little bit in this though.

That being said the majority of 'web server' exploits are based around being able to execute your own code or extract data that you are not supposed to.

If you have a java app talking directly to a C back-end via sockets how locked down is your C app? The potential for damage can be quite high ( since depending on your software you have the potential for rop chain exploits or even direct code execution, as well as having your entire processes memory becoming available.)

This would require a more sophisticated attacker.

On the other hand if you have a COTS web-server then you run the risk of having a less skilled attacker be able to run around your systems. And all re-writes are doomed to make the same mistakes that the original code made, (even if the original programmer is still around. )

I would personally stay away from node.js simply because it is such a immature technology compared to other options.

What is the potential cost of compromise? What is the potential outcome for compromise? Who would have a vested interest in compromise said system? Is it data theft or data manipulation that will hurt the most?

Related Questions

I couldn\'t figure out part b. Please help. thank you! A hoop of mass M 2 kg and
Question #1794658
I couldn\'t find any solution in the textbook help. So can someone please show m
Question #1729440
I couldn\'t get part B. Anyone can help? Thanks! Consider the following reaction
Question #985393
I couldn\'t get the last part of the problem! Compound D has a molecular formula
Question #804851
I couldn\'t get this last part Exercise 8-14 Direct Materials Variances [LO8-4]
Question #2399289
I couldn\'t help but notice just how non-descriptive the gene names that modern
Question #32134
I couldn\'t not figure out how to do part !!B!!! Of number 7 could someone help
Question #882517
I couldn\'t really think of a suitable question title, I\'m not sure if it\'s co
Question #1377076
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I currently have a code that needs an option 4 that plays a bingo game and decla
Next
I currently have a desktop application which requires the user to have a usernam

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.