What are the steps to secure Winform Application

I have a question to ask or advise to seek. Is there a need to secure winform application in intranet environment? Clearly, there is no external threat and only authorized personnel have access to intranet environment, so I am not sure if these is need to secure it. Unless it’s insider threat, however, it’s still impossible as there isn’t any necessary tools available or downloadable within the environment.

The only threat I can foresee is the transparency of my application. Within my winform application folder, the source file was made available to anyone and user might have the ability to understand it and reverse engineering to those source file.

So I’m asking, based on the description above:

  1. Aside from parameterized query or input sanitation, what others threat have I missed out?
  2. How do I better secure those source file? obfuscation?(any guide would be appreciated!)

Oauth2.0 | How to manage user session in Single Page application running in an iframe?

I’m new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.

Server

Application A: Spring boot back-end application sever, with some RestEndpoints exposed connected with Mysql database.

Front End

Application B: Spring boot Web Applicaiton which have some JSP pages for login and some other template features(Also connected with same Mysql database used by back-end server).

Application C: Inside application B we have an Iframe in which Angular app is running, angular app calls the back-end server and show data.

Also in future we want to use SSO for our application as well.

Current Security

At the moment we don’t have any security on back-end server (i.e We can simply call RestEnd points without any authentication), Application B has basic login security implemented via spring security. User logins on application B and then he/she can use application C (Angular) as well. User session is managed at Application B, when session expires users forced to logout.

Oauth2 Authorization

What we are trying to acheive is make the server (Application A) as Oauth2Resource server and Oauth2Authorization server. Application B (JSP front end) remove database connection from it as well as the login controller, application B will call oauth2 server for authorizing user with "password" flow, when application B will receive access_token and refresh_token it will then somehow pass it to Iframe (angular app) to store these tokens inside cookie and on every subsequent request to server angular will add access token to it.

I’ve read articles about that Oauth2.0 have deprecated the use of "Implicit Flow", and they prefer to use the "Authorization Code Flow". I am having a very hard time to understand how this flow can be used for single page applications(SPA like angular). Also where to store the access_token and refresh_token if I use the implcit flow? I’m aware that storing both tokens in cookies is not a good practice.

Also how to manage user session now? what I have gathered so far is that, on requesting resource server with Bearer access token, when we get unauthorized response, we’ll then request for new access token with help of refresh token, but in case when refresh_token is also expired I will force user to login screen. Is this right approach?

Sorry for the long context, any help will be highly appreciated. Thanks

Is it safe to open a server application on the internal network to the public internet

I am a programmer but I am currently learning about web development in general. I’m creating a server on my local host using nodejs and express. It’s available on my local host but I want to test it with a domain I have, so I can access it from any device anywhere.

What I decided to do was change my router settings to direct any traffic it gets on its IP to my computers internal IP on port 3000 so anyone can access the my html pages from my local machine. This was working quite well.

But after some hours of working Bitdefender Antivirus alerted that It blocked some attacks from a specific IP on port 3000. This lead me to question how safe It was to be doing this. The server is running on my home machine that has my regular files and documents.

Of course I’m only serving the html pages for the site but can someone kindly explain the security implications of using your regular home router as a server as opposed to a dedicated server or a web hosting service.

Note 1: I’m not interested in other aspects such as bandwidth since that’s not going to be a problem.

Note 2: Also I’m using Netlify’s free web hosting right now as an alternate (or instead of the alternate) but it’s god awfully slow to load my simplest html page. It takes a while (inconsistent as well) before the browser can even resolve the domain and then loads the content progressively slowly ( I mean you see things like the main image slowly reveal). when using my own router it’s blazingly fast; not just on my local machine

Deauthorization Bug in messenger application – How serious is this?

My question refers to a behavior on a production system with several million chat users.

Some time ago I changed my account password and removed all devices connected to my account. The next day I noticed that during the night I still received all messages addressed to me by push notification on my mobile phone. Then I tried the same thing with another account and an emulated Android phone and ended up with the same results.

The app requires login data, but all private messages are still delivered to my deauthorized phone via push notifications. The deuathorized devices no longer appear on the account page as connected devices.

After about a week of trying to explain to the support team what my problem is, it was finally taken more seriously.
However, they can’ t tell me what devices are connected to my account and who is able to read my messages right now. I was simply told that no suspicious behavior was noted.

I have been spying on my own messages from my mobile phone for over 14 days now.

Question 1: Do you have any idea what kind of problem this is and and how hard it is to write a fix for it?

Question 2: Could this situation possibly be applied to accounts that were never connected to the mobile phone?

Question 3: Who, apart from support, can I contact and how long should I wait until i approach someone else? I have already been informed that they might not get back to me.

Securing application server for a single user

I’m building some simple dashboard app for myself, but I want to have them on multiple devices – hence the server and front end. As I will be the only user who will access the application server, what security should I implement.

Stack: Postgres Ktor (Kotlin) server, HTTPS, only REST API Front end

I’ll run AWS Lightsail instance since I don’t need anything heavy. Postgres and application server will be there, with only ports 443 and 22 open. Front end will be on S3 with CloudFront.

I’m doing this because it’s easier for me to make a browser "app", than to make an Android app + something for desktop and keep them in sync.

I’ll be using the app from multiple networks. At home (where I don’t have a static IP, which would solve some of the problems), from mobile network, from work, when traveling to other countries, etc.

For background, I’ve been working on server for almost 3 years, Spring + Hibernate, Postgres. I have a fair knowledge of linux, hosting a server on it, some of AWS services and basic knowledge of database administration. I’ve done a bit of front end, but I’ll have to get back to that soon. I have almost no knowledge of security beyond basic JWT and SSH.

SSL Cert for client side web application, is it needed?


Introduction

I have tried to find good answer for it, but I haven’t gotten good article about this topic.

Since there are 2 types of client applications (in bigger picture) – one that runs on server and one that you download and runs in your browser.

My question comes in about the one, that runs in your machine (that you download at first visit – Blazor WebAssembly to be specific).

Questions

Do I need to enable SSL (HTTPS) for this application or web server, that hosts this application as well or is it not needed in the end?

Does only having API connection encrypted be enough?

Background

Yes, this is a cost saving masure, since this is for my hobby project and I would like to keep running costs as minimal as possible. But since I still exchange data, that should not be seen by 3rd party, this application needs to be secure.

To enable HTTPS I would need second Static IP, which is 3$ a month (which is not much), but again, it is additional cost for me, that I would rather not have.

In an Arm TrustZone based Trusted Application (TA), how can a remote party tie an output to a particular TA?

I’ve been looking at the following figure which shows, with Arm TrustZone architecture, resources of a system can be divided into a Rich Execution Environment (REE) and a Trusted Execution Environment (TEE).

enter image description here

Here I’m trying to understand the following: Suppose a remote party wants a particular trusted application (TA) running in TEE to do some computation on his input. How can this remote party be ensured that the computation is actually done by the correct TA ?