Solved

web apps uploaded files

Posted on 2013-12-02
15
324 Views
Last Modified: 2013-12-18
Our web development team are developing a web app to handle tenders for procurement exercises. They need to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share. What kind of security designs would you be looking for in your application here to accomplish this ? For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)? I am not a developer myself so please keep answers basic management friendly if possible.
0
Comment
Question by:pma111
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 7

Assisted Solution

by:dimmergeek
dimmergeek earned 125 total points
ID: 39690543
Instead of develeoping your own app, why not use SharePoint?  It is designed for exactly this.  Users can checkout docs, edit, modify and re-upload.  You will have a living docuent history with all revisions and know who made what changes when...
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 125 total points
ID: 39690578
For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)?

If you have documents that you do not want the users to update, I would prevent them from uploading into that folder, give them read-only on that directory or those documents. If normal users cannot upload, then you simply have to look at the modified file timestamp to determine that it hasn't been altered.

You can't control what users do to the document when it is on their computer. It is no longer your document at that point, it is theirs. So preventing them from uploading is probably your best option.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690591
For apps that allow you to upload documents, is there typically a default folder where the files go to, say on a server running IIS, would there be default IIS folders where documents would reside, or is the folder where the document ends up totally dependant on the code of the application? I was thinking if the docs are uploaded to a server share i.e. default IIS folders, then anyone with access to those directories could also amend the files.
0
 
LVL 18

Expert Comment

by:Jerry Miller
ID: 39690630
I wouldn't store documents on the web server. There should be a file share or FTP server used for this purpose. The file location can determined through code by the developers.

If you store files on the IIS server, and many of us have to due to budget concerns, create a folder for that purpose and only grant read permissions to all users except administrators.

If the application is still in design phase, you can have them explore role based authentication. This will allow them to determine a users access to a resource (page, folder, etc.) based on the authenticated users role in the system. This gives you some flexibility and provides security on a resource level.
0
 
LVL 31

Accepted Solution

by:
Paul Sauvé earned 125 total points
ID: 39690639
Another solution is to have those who tender offers digitally sign the Word document.

Digitally Sign Microsoft Office DocumentsProve document origin, add approval signatures, and prevent tampering
A digital signature is the virtual equivalent of a wet ink signature, carrying the signer’s identity and assuring the reader of the document’s integrity.

Placing a digital signature on a document proves the information originated with the signer and has not been altered, allowing secure electronic document workflows to replace tedious, paper-based processes.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690644
Thanks jmiller1979 - is access to what users can do with uploaded documents (i.e. read only, modify etc) configured somewhere within IIS? Or do the actual windows NTFS permissions transfer to the application itself? I was never sure how the servers file system, app and IIS tie up together when it comes to access control?
0
 
LVL 3

Author Comment

by:pma111
ID: 39690659
paulsauve - where does the digital signature take place? Is this done with special software before you upload the document? Or is this something that takes place on the web server itself, and sends perhaps like a digital receipt to the uploader?

I was just a bit unsure how the uploader would know if their document had been edited, and how easy it would be to spot that the document had been edited? Or how a process would work so that the procurement team could demonstrate at a later date they hadn't amended the actual content of the document, if say they downloaded the document and saved it to an NTFS share with all the other tender documents .
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Assisted Solution

by:bunnyville
bunnyville earned 125 total points
ID: 39690705
I cannot imagine why you'd want to store files on the IIS servers themselves with documents that sensitive. I would agree with  dimmergeek that SharePoint is built to do this very sort of thing and handle security as well.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39690781
It is incumbent upon the author of the document to procure a digital signature, also called a Security Certificate, and insert it in the document before sending it.

You can add this as a requirement to those who tender offers. IMHO, it is really the only way to assure the integrity of a document. I would attach a Word doc, but my email address will show up... See my profile.....
0
 
LVL 3

Author Comment

by:pma111
ID: 39690804
Any particular view Paulsauve why the sharepoint type application and access control is less secure than the digital signature option?
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39690899
SharePoint can handle everything being discussed here, require no application development and can be deployed right away in you Microsoft shop.  Additionally, you get support from MS, as opposed to growing pains of developing an app and needing to manage/support it yourself.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691088
My understanding of your problem is: to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share.

My view is that if you DON'T have SharePoint, a digitally signed document is obviously an easier path than developing or purchasing software. And it will be up to those submitting documents to assure that the docs are digitally signed. These certificates foe MS documents can be had for less than $100 per year! Digital Signatures for Word Documents
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39691093
paulsauve, that is a great solution, but still requires the user to perform the action of attaching the signature.  You're still relying on a human to do as he/she is asked.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691103
If a supplier wants to do business with you and digitally signed documents are a requirement to get in the door, then they will most likely comply with the requirement.

But, obviously, this is not the ONLY solution - it's the solution I suggested.
0
 

Expert Comment

by:bunnyville
ID: 39691472
Agree with paulsuave
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now