Solved

web apps uploaded files

Posted on 2013-12-02
15
344 Views
Last Modified: 2013-12-18
Our web development team are developing a web app to handle tenders for procurement exercises. They need to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share. What kind of security designs would you be looking for in your application here to accomplish this ? For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)? I am not a developer myself so please keep answers basic management friendly if possible.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 7

Assisted Solution

by:dimmergeek
dimmergeek earned 125 total points
ID: 39690543
Instead of develeoping your own app, why not use SharePoint?  It is designed for exactly this.  Users can checkout docs, edit, modify and re-upload.  You will have a living docuent history with all revisions and know who made what changes when...
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 125 total points
ID: 39690578
For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)?

If you have documents that you do not want the users to update, I would prevent them from uploading into that folder, give them read-only on that directory or those documents. If normal users cannot upload, then you simply have to look at the modified file timestamp to determine that it hasn't been altered.

You can't control what users do to the document when it is on their computer. It is no longer your document at that point, it is theirs. So preventing them from uploading is probably your best option.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690591
For apps that allow you to upload documents, is there typically a default folder where the files go to, say on a server running IIS, would there be default IIS folders where documents would reside, or is the folder where the document ends up totally dependant on the code of the application? I was thinking if the docs are uploaded to a server share i.e. default IIS folders, then anyone with access to those directories could also amend the files.
0
Application Discovery Service in AWS

In the era of the cloud, customers migrating away from their existing on-premise infrastructure. This requires lots of planning, strategies, and effort to identify their existing resources and determine how best to migrate.  Datacenter migrations happen in four phases -

 
LVL 18

Expert Comment

by:Jerry Miller
ID: 39690630
I wouldn't store documents on the web server. There should be a file share or FTP server used for this purpose. The file location can determined through code by the developers.

If you store files on the IIS server, and many of us have to due to budget concerns, create a folder for that purpose and only grant read permissions to all users except administrators.

If the application is still in design phase, you can have them explore role based authentication. This will allow them to determine a users access to a resource (page, folder, etc.) based on the authenticated users role in the system. This gives you some flexibility and provides security on a resource level.
0
 
LVL 33

Accepted Solution

by:
Paul Sauvé earned 125 total points
ID: 39690639
Another solution is to have those who tender offers digitally sign the Word document.

Digitally Sign Microsoft Office DocumentsProve document origin, add approval signatures, and prevent tampering
A digital signature is the virtual equivalent of a wet ink signature, carrying the signer’s identity and assuring the reader of the document’s integrity.

Placing a digital signature on a document proves the information originated with the signer and has not been altered, allowing secure electronic document workflows to replace tedious, paper-based processes.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690644
Thanks jmiller1979 - is access to what users can do with uploaded documents (i.e. read only, modify etc) configured somewhere within IIS? Or do the actual windows NTFS permissions transfer to the application itself? I was never sure how the servers file system, app and IIS tie up together when it comes to access control?
0
 
LVL 3

Author Comment

by:pma111
ID: 39690659
paulsauve - where does the digital signature take place? Is this done with special software before you upload the document? Or is this something that takes place on the web server itself, and sends perhaps like a digital receipt to the uploader?

I was just a bit unsure how the uploader would know if their document had been edited, and how easy it would be to spot that the document had been edited? Or how a process would work so that the procurement team could demonstrate at a later date they hadn't amended the actual content of the document, if say they downloaded the document and saved it to an NTFS share with all the other tender documents .
0
 

Assisted Solution

by:bunnyville
bunnyville earned 125 total points
ID: 39690705
I cannot imagine why you'd want to store files on the IIS servers themselves with documents that sensitive. I would agree with  dimmergeek that SharePoint is built to do this very sort of thing and handle security as well.
0
 
LVL 33

Expert Comment

by:Paul Sauvé
ID: 39690781
It is incumbent upon the author of the document to procure a digital signature, also called a Security Certificate, and insert it in the document before sending it.

You can add this as a requirement to those who tender offers. IMHO, it is really the only way to assure the integrity of a document. I would attach a Word doc, but my email address will show up... See my profile.....
0
 
LVL 3

Author Comment

by:pma111
ID: 39690804
Any particular view Paulsauve why the sharepoint type application and access control is less secure than the digital signature option?
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39690899
SharePoint can handle everything being discussed here, require no application development and can be deployed right away in you Microsoft shop.  Additionally, you get support from MS, as opposed to growing pains of developing an app and needing to manage/support it yourself.
0
 
LVL 33

Expert Comment

by:Paul Sauvé
ID: 39691088
My understanding of your problem is: to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share.

My view is that if you DON'T have SharePoint, a digitally signed document is obviously an easier path than developing or purchasing software. And it will be up to those submitting documents to assure that the docs are digitally signed. These certificates foe MS documents can be had for less than $100 per year! Digital Signatures for Word Documents
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39691093
paulsauve, that is a great solution, but still requires the user to perform the action of attaching the signature.  You're still relying on a human to do as he/she is asked.
0
 
LVL 33

Expert Comment

by:Paul Sauvé
ID: 39691103
If a supplier wants to do business with you and digitally signed documents are a requirement to get in the door, then they will most likely comply with the requirement.

But, obviously, this is not the ONLY solution - it's the solution I suggested.
0
 

Expert Comment

by:bunnyville
ID: 39691472
Agree with paulsuave
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question