Understanding principles of security: Integrity

The principles of Security

The foundational principles of security are: confidentiality, integrity and availability.
These principles known as the CIA triad is a guideline for information security for an organization.

Integrity

Integrity is accuracy, consistency, and trustworthiness of the data during its entire life cycle. Another term for integrity is quality.
Data must be unaltered during transit and not changed by unauthorized entities.
Methods used to ensure data integrity include hashing, data validation checks, data consistency checks, and access controls.

Hashes and Checksum

The process of hashing involves passing data through a cryptographic function, called a hash or digest function.
This process yields a small – relative to the size of the original data- value that uniquely identifies the data.
Depending on the algorithm used, the value’s size is usually 128 or 160 bits.
Checksum hashing can be used to verify integrity of the data during transfer.

Hashing is a one-way function that creates a fixed-length output (known as the hash, hashing value, fingerprint, message digest, and so on)
from an input of any length.
Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash functions use complex mathematical algorithms.

For example, Message Digest 5 (MD5) is a 128-bit hash algorithm. This means that no matter what the size of the input data, the output hash will
always be 128 bits long.
Hashing is not an encryption algorithm. Instead, hashing is used to produce a unique identifier of data without modifying the original data. The data could be a file, a hard drive,
a network-traffic packet, or an email message.
The hashed value is used to detect when changes have been made to a resource.
For example, when a hard drive is being imaged to create an exact duplicate, a hash is produced of the original drive before the duplication process.

Fig 1. Summary of hashing algorithms

A hash tells you nothing about the data, but it uniquely identifies it.
The hashed value is simply there for comparison.

Fig 2. The hash function operates on fixed-size blocks of data

Writing a simple Hash Calculator with AngularJS, HTML5, C# and WCF.

I’ve written an app to demonstrate how to implement hash functions in a REST Service.
The app communicates with a WCF REST service that uses the C# abstract class System.Security.Cryptography.HashAlgorithm to achieve encryption.

  1. The user enters the text to encrypt, selects the algorithm to use.
  2. The user submits the information to the service in order to get the hash code.
  3. The hash web service presents the hash code to the user.

Testing with different algorithms, we can see the length of the output.

Fig 3. Using the MD5 algorithm.
Fig 4. Using the SHA1 algorithm.
Fig 5. Using the SHA256 algorithm.
Fig 6. Using the SHA384 algorithm.
Fig 7. Using the SHA512 algorithm.
Fig 8. Changing the text, we can see a totally different output, but without no changes in the length.

Conclusion

Keeep in mind that hash functions do not encrypt the data. They use the data to make a fingerprint or snapshot of the data that is given to you as a code.
That code is used to determine whether or not the data has been altered. If the data you receive has been altered, you will not get the same code number as the original data.


Download example source code.

How to use Multiple Active Result Sets with ADO.NET

Multiple Active Result Sets (MARS) is a feature supported by ADO.NET that allows the execution of multiple batches on a single connection. In previous versions, only one batch could be executed at a time against a single connection. When using a MARS-enabled connection, multiple logical batches can be executed on a single connection. Executing multiple batches with MARS does not imply simultaneous execution of operations.

To access multiple result sets using SqlDataReader objects, multiple SqlCommand objects will need to be used. When MARS is enabled, each command object used adds an additional session to the connection.

The following program demonstrates how to use a Sql Server Connection with MARS enabled.

Fig 1. MARS-enabled connection string
Fig 2. Data access class with two commands.
Fig 3. Main program.
Fig 4. Running the example.


Download example source code.

How to execute simple Database Queries with VB .NET

The SqlCommand class in the .NET Framework Data Provider has four methods that you can use to execute SQL
statements:

  1. ExecuteScalar: Executes a query that returns a single scalar value.
  2. ExecuteReader: Executes a query that returns a result set.
  3. ExecuteNonQuery: Executes a data update statements or a catalog update statement.
  4. ExecuteXmlReader: Executes a query that returns an Extensible Markup Language (XML) result set, this method is only avaliable in the SqlCommand class.

To execute a simple database query

  1. Import the System.Configuration namespace
  2. Use the ConfigurationManager.ConnectionStrings property to get a collection of connection strings from the application configuration file.
  3. Index into the collection of connection strings by using the programmatic name of the connection string you want to access.
  4. Use the ConnectionString property to get the connection string information.
  5. Create a connection object.
  6. Create a command object.
  7. If you want to execute an SQL statement, set the CommandType property of the command object to the
    CommandType.Text enumeration value. If you want to call a stored procedure, set the CommandType property of the command
    object to the CommandType.StoredProcedure enumeration value.
  8. Call the Open method on the connection object.
  9. Call the ExecuteScalar method on the command object. Assign the result to a suitably typed variable.
  10. Call the Close method on the connection object.

The following example shows how to execute a query to determine the number of products in the AdventureWorks2016CTP3 database
on the local SQL Server instance.

Fig 1. Main program
Fig 2. App config
Fig 3. Output program


Download example source code.

Understanding OOP Inheritance with Python

One of the most common goals for the OOP is code reusability.
Characteristics such as inheritance contributes to achieving this goal.

Inheritance

Inheritance is the most used mechanism to optimise the coding, since it allows
to reuse methods defined in superclasses, to define new subclasses.
The following example uses the class Person as its superclass.

Fig 1. Inheritance
Fig 2. Person Class

We know that a person also can be an employee in addition to talking, and Employee can show its earnings so we will
declare a class called Employee.

Fig 3. Employee Class

Who inherits the talk() method of the Person class to implement inheritance in
this example:

Fig 4. Main program

You will notice how the “John” object, which is now an instance of Employee
continues to behave as an instance of Person because it has inherited its
methods.

Fig 4. Run the example
$ py Sample1OOP.py


Download example source code.

Understanding RESTFul (POST, PUT and DELETE) services with Windows Communication Foundation (WCF) and Oracle XE.

The REST model relies on the application that accesses the data sending the appropriate HTTP verb as part of the request used to access the data. HTTP besides GET, the HTTP protocol supports other forms of verbs such as POST, PUT, and DELETE, which you can use in a REST service to create, modify, and remove resources, respectively. Using these verbs you can build WCF services that can insert, update, and delete data.

The good practice is that you use HTTP POST requests to specify operations that can add new records, HTTP PUT requests for operations that update existing data, and HTTP DELETE requests to define operations that can remove records.

POST is an exception in certain regards. POST is frequently misused as DELETE and PUT, because the use of DELETE and PUT is either not permitted or technically impossible from the browser’s perspective, and you could use HTTP POST requests to update and delete data.

Use the [WebInvoke] attribute for scenarios POST, PUT and DELETE, you use this attribute to identify a URI, but you can also indicate the type of the request message to which to respond.

In the following example, I write a REST WCF Service to enable insert, update and delete operations for Oracle HR Schema.

You can learn about the HR Schema in this post.

The following table shows the URIs and the parts of the interface that I will implement for each URI in the example.

URI Method Output Input
/employees POST bool An Employee Object
/employees/{id} PUT bool An employee Object with id specified.
/employees/{id} DELETE bool An employee Id

The main steps for this exercise are as follows:

  1. Use the EmployeesDac class, which contains the method for accessing the database.
  2. Write the EmployeesServiceImplementation class with the following code (fig 1).
    Fig 1. EmployeeServiceImplementation.cs
  3. Write a new interface called IEmployeesServiceContract and type the following code(fig 2).
    Fig 2. IEmployeeServiceContract.cs
  4. Write the EmployeesService.svc file that references the service implementation with the following code (fig 3).
    Fig 3. EmployeeService.svc
  5. Finally, add the following config file (fig 4)
    Fig 4. Web.config

Testing the service with Soap UI.

The WCF service that you have built runs the same way as a regular Web application and is
hosted by a Web Server.

If you browse the .svc file, you can view the help page for the WCF service. It verifies that the WCF
service has been configured correctly (you will see error messages if the WCF service cannot start) and
provides information showing how you can connect to the service.

Once we’ve made all the required settings, running the tests are very easy with SOAP UI. Before running, we can
define the json request or query string parameters. Use the Green button to start running the test.

Testing the HTTP-POST request, after completing the execution, the result window displays the JSON Response.
Fig 5. HTTP-POST Request
Testing the HTTP-PUT request after completing the execution, the result window displays the JSON Response.
Fig 6. HTTP-PUT Request
Testing the HTTP-DELETE request after completing the execution, the result window displays the JSON Response.
Fig 7. HTTP-DELETE Request

Download example source code.

The static keyword in C#

The static keyword declares members (attributes, methods) that are associated with the class rather than the instances of the class.

Sometimes it is desirable to have a variable that is shared among all instances of a class. For example, you could use this variable as the basis for communication between instances or to keep track of the number of instances that have been created.

You achieve this shared effect by making the variable with the keyword static. Such a variable is sometimes called a class variable to distinguish it from a member of instance variable, which is not shared.

Fig1. UML Object Diagram showing the Client class and two unique instances.

In this example, every object that is created is assigned a unique serial number, starting at 1 and counting upwards. The variable counter is shared among all instances, so when the constructor of one object increments counter, the next object to be created receives the incremented value.

A static variable is similar in some ways to a global variable in other languages.

Listing 1. Example marking the variable counter with the keyword static.

If a static is not marked as private, you can access it from outside the class. To do this, you do not need an instance of the class, you can refer to it through the class name.

Listing 2. Example referring to the static variable counter.

Sometimes you need to access program code when you do not have an instance of a particular object available. A method that is marked using the keyword static can be used in this way and is sometimes called a class method.

Listing 3. A method marked using the static keyword.
Fig 2. Output of the program is.

You should access methods that are static using the class name rather than an object reference.

Because you can invoke a static method without any instance of the class to which it belongs, there is no this reserved keyword applicable, because static variables and methods exist independently of any class objects, even when there are no objects of that class. The consequence is that a static method cannot access any variables other than the local variables, static attributes, and its parameters. Attempting to access non-static attributes causes a compiler error.

Listing 4. A complete example
Fig 3. Output for the complete example

You should be aware of the following when using static methods:

  • Inside the basic console application, we have the startup procedure Main. Main is defined as a static member, which means we do not have to have an instance of the enclosing class
  • Constants are considered static members. Therefore, they do not need to be-for that matter, they cannot be-marked with the static keyword.

Download the source code