Questions tagged [architecture]
The architecture tag has no usage guidance.
115 questions
1
vote
0
answers
27
views
Secure session management for browser-based screen sharing support tool
I'm designing a web-based screen sharing tool for customer support, where support agents need to view customers' screens without requiring any software installation.
The flow I'm considering is:
...
- 222
4
votes
4
answers
591
views
Ideal system architecture for sensitive data access through DMZ
I'm trying to figure out the best approach for handling external requests. I am working on a system where the application is currently sitting outside (DMZ) and the DB is inside. The specific port ...
- 43
4
votes
2
answers
119
views
Logging Strategy (high costs for storing all logs)
In our organization, we use a GCP setup with Kubernetes. We generate tons of firewall logs as we provide a digital service that generates a high volume of requests from our users. Storing all these ...
- 41
0
votes
0
answers
27
views
Is AIA or multi-tier architecture relevant?
I am working on a non-internet facing and internal/air-gapped system. The vendor providing the solution has architected their system with the application client and database on the same server.
I am ...
0
votes
0
answers
47
views
Is creating an internal API within a VPN a recommended practice for securing database access for customer-facing applications?
The InfoSec team of the client I work with has mandated that any customer-facing application's backend should not directly access the database for that application. They require we create another ...
- 1
0
votes
0
answers
93
views
Are centralized credentials an antipattern?
At my organization we have a lot of servers. We have many common manual maintenance tasks that we'd like to automate. There's currently three approaches we're fighting over internally:
Ops engineers ...
- 1
1
vote
2
answers
732
views
In general terms does the use of ARM architecture pose any security benefits or risks over other architectures such as x86 and x64?
For example considering that ARM has TrustZone technology, and a potential reduced attack vector because it is based on a simpler RISC (Reduced Instruction Set Computing) based architecture instead of ...
- 7,135
0
votes
1
answer
217
views
No csrf token, instead sessiontokens?
Will a random-generated-session-key be enough, so that I can end the usage of csrf token? The front end, will receive the token when logged in. It will be stored in «local storage» at the client’s ...
1
vote
1
answer
147
views
In a system architecture, to what extent an admin user should have access to consumer resources?
Let's say I'm building a system, similar to a very simple ecommerce.
Users can sign up as consumer and start buying products.
Purchases are then stored in the database together with the order status, ...
- 23
1
vote
0
answers
159
views
Is there a real gain in terms of security by not using a reverse proxy?
I need to implement a web application consisting of the components
FE (Nginx + React.js)
BE (Java SpringBoot)
DB (MySQL)
For simplicity we will assume that the DB runs in localhost on BE's machine.
...
- 11
0
votes
0
answers
84
views
Prevention of User Tampering the API by Serverless clients which are in sync with the real world client
As we all know, never trust the client, when they send data to your server. However what if you prevent data manipulation by completely restructuring the architecture to something like the following:
...
- 101
0
votes
1
answer
1k
views
SSH over HTTPS or Directly open Non Standard port
We have a situation where we have an architecture that calls for a Web based UI for querying some data and the data input is through rsync over SSH. I think it would be easier to manage and more ...
- 103
0
votes
0
answers
127
views
Brute force prevention and alike with stateless API architecture
What are the patterns (best practices, whatever) to prevent brute force (and features alike) in stateless API architectures that keep the system stateless? Couldn't find anything regarding this topic.
...
0
votes
0
answers
114
views
Security Risks with Event Streaming
At a high level based on the technology of event store and streaming (i.e. Apache Kafka, Amazon Kinesis, etc.) to decouple systems and make them event driven systems. I was wondering what new ...
- 756
0
votes
1
answer
1k
views
Is there a difference between a bootkit and a ring-0 rootkit?
I understand the difference between a Ring-0 rootkit and a Ring-3 rootkit, in terms of their hierarchical depth in computational models. That is kernel mode and usermode, respectively.
I am confused ...
- 211
0
votes
0
answers
98
views
Network Segmentation - Single Firewall VM vs Multiple
I am currently implementing a new network with different segments. The separation of those segments is achieved using VLANs. To enable some segments to communicate with each other and to be reached ...
- 1
1
vote
1
answer
641
views
End To End Encryption Model
I have an architecture which requires a certain subset of data to be more heavily secured and encrypted. The main parameters which I believe meet the scope of the project are as follows:
Data should ...
- 113
1
vote
2
answers
1k
views
Refresh token replay detection
I'm trying to detect refresh token reuse / replay.
A typical approach:
send refresh token (on login or refresh)
create refresh token as opaque value (e.g. buffer from a CSPRNG)
base64 encode value ...
- 455
2
votes
0
answers
177
views
What are the "Design Patterns" for working with HSMs?
I've been attempting to learn about the different features and uses of HSMs, and I keep thinking that someone must have put together a set of design patterns for different ways that HSMs can be used ...
- 87
0
votes
0
answers
112
views
Are there any security architecture patterns in the same way there are software design patterns (GOF)?
So I've been googling around and couldn't find an answer to my question (I don't discount the option that I could be asking the wrong question after all).
I see there is a question that deals with ...
- 133
15
votes
1
answer
6k
views
Security considerations of x86 vs x64
What if any, are the security considerations of deciding to use an x64 vs x86 architecture?
- 275
0
votes
1
answer
434
views
Using an HSM to protect encrypted data even when a server is compromised
Imagine a system architecture where an API server is able to send a request to an HSM, and the HSM is able to decrypt some data for a particular user/customer, in order to serve some hypothetical ...
- 87
1
vote
0
answers
117
views
Do i place this service in the DMZ or datacentre(internal)?
I have setup a VM on our internal network and it is assigned an internal IP address. The VM requires connectivity to a couple of internet sites mainly Microsoft and ports are generally 80 and 443. ...
- 671
1
vote
1
answer
214
views
Should IDM be private or exposed for app login?
In the diagram below, I have two options for authenticating into a protected resource. Both options use an Identity & Access Management (IDM) tool (in this case keycloak) to store credentials and ...
- 11
1
vote
0
answers
138
views
Has hackers ever used a microarchitectural side channel to launch an attack?
I'm a student of computer architecture and I just got through a class on Hardware Security.
We spent a considerable amount of time learning about microarchitectural side channels, reading papers on ...
- 121
0
votes
1
answer
137
views
Vulnerability in which part of the Android architecture would allow an attacker to take control of the hardware [closed]
This question is intended for better understanding of security features of Android architecture.
In particular, I want to know what part of the architecture needs to be secure to prevent an attacker ...
- 103
3
votes
1
answer
3k
views
Propagating user context between microservices secured with M2M JWT tokens
We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow)....
- 151
0
votes
1
answer
135
views
Implications of querying OrientDB directly from front-end
Give that OrientDB exposes a REST HTTP API, and that it seems to have quite a few security features, what are the (especially security) implications of querying OrientDB directly from a front end web ...
- 1
1
vote
1
answer
791
views
Safety difference between running on localhost versus the private internal ip address?
I am wondering if there is any additional security increase by choosing to run your webserver on an internal private ip address and port like xyz.ab.cd.efg:8080 versus localhost:8080 or 127.0.0.1:8080
...
- 201
1
vote
1
answer
378
views
Is it acceptable to have SPA + API from security point of view?
We are building something like specific blogging social platform. Architecture was originally intended as to have:
single page application: all gui, rendered in the browser on the client
frontend: ...
- 389
0
votes
1
answer
386
views
Exploiting a service on 32bit OS on a 64bit processor with ShellCode
Let's theoretically assume I have an overflow vulnerability on a certain service I want to exploit.
The service reside in 32bit Operating System on a 64bit Processor.
I'm attempting to wrap my head ...
- 3
2
votes
1
answer
113
views
Implications re security practices of full account access granted to third parties
I'm working with a company (say, Acme) that does some ongoing data collection and processing for me. The data in question is private but not all that sensitive. Part of Acme's service has password-...
- 121
0
votes
1
answer
568
views
Are SSH certificates more secure for service accounts?
I'm considering how to deploy a service that needs SSH access to many important boxes in my infrastructure. Rather than store a long-lived SSH private key in a key store that the service could request,...
- 411
1
vote
1
answer
3k
views
Should the Router or Firewall Come First?
Network scenario.... I have a typical enterprise network meaning
ISP > Edge Router > Firewall|DMZ > Switch > LAN
I know there are several debates about what device comes first, but ...
- 307
0
votes
1
answer
1k
views
API Key via Basic Auth: Send it as a username or as a password?
In APIs that authenticates with a single API key (eg a long random string) via Basic Auth, I have seen that most (eg Stripe, Unbounce) sends the API key as the username, leaving the password field ...
- 423
0
votes
1
answer
120
views
Debating between architecture options for offline updating of Linux machines in a vertically segregated network
My coworker and I are discussing the pros/cons between two potential architecture options, and I would like to gather feedback on which option is better and why.
First, a description of the ...
0
votes
1
answer
124
views
a chain of 3 federated IdPs
My client has 5 different identity and access management solutions. Until now they have been asking each one of their suppliers to add 5 trusted parties to their IAM solution, implement different URLs ...
- 103
1
vote
0
answers
163
views
Is there any advantage in using Google's IAM on Android?
We are building a few corporate apps for field workers / front office. In most cases each user will have their own device, but there are some shared devices (for example reception). The devices are ...
- 103
0
votes
1
answer
2k
views
Where precisely are client X509 certificates stored?
Apologies for what might seem like a naive question, but there is a detail to PKI architecture between clients and servers, the answer to which I have so far not been able to come across no matter ...
- 103
3
votes
2
answers
601
views
How does a security countermeasure failure impact a system?
In the context of safety-critical systems, such as transportation systems, it is important to verify if such systems meet/do not meet safety requirements.
ISO26262 expresses these requirements as a ...
- 31
0
votes
2
answers
180
views
OAuth 2.0, what should it be returned in the authorize endpoint if the client_id is wrong and no redirect_uri is passed
We have been working on a OAuth 2.0 IDP implementation, and during the implementation of the authorize endpoint, i couldnt find in the RFC 6749, what should happen if the client_id is not passed in ...
- 105
2
votes
3
answers
4k
views
2 vs 3 tier network architecture
I am interested in how a 3-tier network topology (web/app/data) provides improved security than a 2-tier topology (web-app/data). I understand the concept of a DMZ as the initial contact point with ...
- 53
1
vote
1
answer
370
views
Separation of devices for VPN / Firewall [closed]
Our company has two separate firewall devices from different vendors (Checkpoint / Cisco) for firewall and VPN access.
We're currently evaluating the possibility of migrating to a newer, clustered ...
- 199
2
votes
1
answer
183
views
Multi Factor and order of authentication [duplicate]
I'm questionning the design and architecture around 2FA/MFA controls while authenticating to services and servers.
On major platforms(*), the end-user is:
first prompted for credentials (username/...
- 693
-1
votes
1
answer
144
views
what are steps to do in order to secure my appli web [closed]
I'm asked to secure an appli web and I don't know really which steps I can follow to secure my appli web.
0
votes
0
answers
459
views
Pros and cons of extending L3 to the network edge (routed access layer)?
Scenario: Greenfield network rebuild for a SMB distributed over ~10 small campuses with 1 fairly large central campus spread over ~ 100 Miles. You have almost no Cap-ex budget restriction (within ...
- 2,736
1
vote
0
answers
141
views
What would you do as first day of CSO or Head of CyberSecurity [closed]
I was asked this question at an interview today and was unable to give a structured answer since there is so many things a head of security can do.
The additional info that I had were :
- You can ...
0
votes
0
answers
110
views
How could an account-based service trust a checksum provided by a client-side application whose code is open source?
Say for example that I was a digital video game provider, and my games were played via a virtual machine. Lets also say that the code for this virtual machine were open source, and that this VM was ...
- 281
2
votes
1
answer
241
views
How can an old hardware lead to a security failure?
I am working on critical cyber physical systems, and my work and research lead me to some questions. In the following, I assume that the attacker is not able to change the hardware of your system and ...
- 103
-2
votes
1
answer
177
views
If I put a variable in the private section of a class, will the variable have more protection againsted reverse engineering? [closed]
class LockdownUnlock{
private:
/*snip*/
std::string rootCertificate; //Will this protect the data?
/*snip*/
public:
/*snip*/
}LDUnlock;
- 15