The RAD Studio XE8 Summer (Northern Hemisphere) and Winter (Southern Hemisphere) of Security!The RAD Studio XE8 Summer/Winter of Security!
This blog post contains information and links covering secure development topics for Delphi, C++Builder and RAD Studio XE8 developers. You’ll find secure computing introductory topics and starting information for InterBase database, components, libraries, Backend as a Service (BaaS), Cloud, App Tethering and more. Throughout the Summer (or Winter if you live in the Southern Hemisphere), I’ll continue writing about secure topics and showing sample development projects. If you have specific secure development needs, send an email to email@example.com
InterBase® XE7 is a full-featured, high performance, encryptable, multiplatform and scalable relational database for developers who are looking to embed a low-cost, zero admin, lightweight secure database into their cross platform connected applications. With InterBase XE7 you get powerful access control, data change management, disaster recovery and journaling, as well as support for popular database drivers for increased deployment flexibility.
Data security is a hot topic! The loss of data via cyber attacks can lead to loss of customers and reputation, lead to regulatory action, and even expose you to large fines. InterBase is here to help with its flexible on-disk and over the wire encryption capabilities. InterBase also benefits from inbuilt user authentication and security in place wherever your data files reside. Choose to encrypt the entire database or just a critical table or column, and define who can decode that data with powerful role based authentication. InterBase supports both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) encryption.
InterBase Encryption is supported starting with InterBase 2009. InterBase enables you to encrypt information at one or both of the following levels:
- Database Level Encryption (InterBase encrypts all of the database pages that contain user information).
- Column Level Encryption (Column-level encryption is more flexible and specific).
Using InterBase Database Encryption you can also encrypt Database Backup Files. For more information about encrypting your data with InterBase, see Data Definition Guide
Security is provided in the InterBase Server, InterBase Desktop and InterBase ToGo editons. To see additional features of each InterBase edition go to the InterBase product editions page at http://www.embarcadero.com/products/interbase/product-editions
Additional links and videos about InterBase database encryption can be found at:
Rise to the Data Security Challenge: Creating Secure Database Applications using InterBase – OnDemand Webinar -http://forms.embarcadero.com/InterBaseSecurityWebinar5-28
Why Database Encryption Matters: Is the NSA reading this? http://blogs.embarcadero.com/stephenball/2013/12/18/why-database-encryption-matters-is-the-nsa-reading-this/
EMS (Enterprise Mobility Services) offers a Mobile Enterprise Application Platform (MEAP) that you can host in the Cloud or on the premises, to expose custom REST APIs and enterprise database data. The enterprise data access is provided by the FireDAC data access library.
EMS offers a comprehensive solution including REST API, remote database access, users tracking, and analytics. Compared to a do-it-yourself model, in EMS you have a pre-build server with core capabilities in which you can plug custom packages.
You can create custom packages to expose datasets and plain REST resources, and easily embed the client code to access those resources in mobile and desktop applications.
EMS Server Authorization allows you to authorize or deny access to a EMS Resource or a particular EMS Endpoint in an HTTP request. The authorization depends on the credentials used in the HTTP request to the EMS Server.
EMS allows you to use external credentials in your custom plugins to execute login and signup operations in the EMS Server.
DataSnap is a RAD Studio XE8 technology for Delphi and C++Builder that allows the development of multi-tier applications, most notably multi-tier database applications. DataSnap offers the possibility to create Client-Server applications that communicate through the Internet, the local network, or the local host.
The main feature of DataSnap is the ability of the Client application to invoke methods that are implemented on a Server. DataSnap automatically generates the necessary interface for the Client to communicate with the Server, containing the prototypes of the Server methods.
DataSnap provides Encyption filter support for data sent. You can choose PC1 or RSA - In case of using the PC1 encryption filter, the Properties property holds the Key value to use for the encryption. If using the RSA filter, the Properties property holds a list of three properties, UseGlobalKey, KeyLength, and KeyExponent.
Start with the DataSnap Server Wizard. DataSnap Server Wizard provides an easy way to implement a server application using the DataSnap technology. Regardless of the options you select, it creates a ServerContainerUnit that contains a TDSServer component. All the additional components are connected to the TDSServer, having the Server property set to the name of the TDSServer component. If the selected protocol is TCP/IP, the server unit also contains a TDSTCPServerTransport. If HTTP is selected as the communication protocol, the server unit contains a TDSHTTPService component. If HTTPS is selected, then the server unit will contain a TDSHTTPService component configured for HTTPS operations.
Additional DataSnap documentation pages:
Building cloud based applications also involves security, authentication, storage and more. RAD Studio XE8 provides several interfaces to cloud systems using the Cloud API runtime libraries with support for Amazon AWS and Microsoft Azure.
We also provide component interface for Backend as a Service (BaaS) providers Parse, Kinvey, App42 (a separate free download). These BaaS services provide their own secure interfaces for developers for user and device authentication, storage and push notifications. You can find additional information on their sites.
Sarina Dupont has a series of blog and tutorial posts showing you how to use BaaS providers. Use the following community blog post and tags to find the articles:
- Tutorials - http://community.embarcadero.com/index.php/blogs/entry/looking-to-add-baas-support-to-your-apps-we-have-tutorials-to-get-you-started-1336
- Articles tagged as “BaaS” - http://community.embarcadero.com/index.php/blogs/tags/tag/baas
The RTL provides app tethering components, giving your applications the ability to interact with other applications running either on the same machine or on a remote machine.
Using app tethering, your applications can easily:
- Discover other applications that are using app tethering, running either on the same device as your application or on other connected devices.
- Run actions remotely. An application can publish actions using app tethering. Then other applications can remotely invoke any of these actions on the former application.
- Share data between applications. App tethering allows sharing of standard data types and streams.
The app tethering feature does not depend on a specific transport or protocol, and new transports and protocols can be implemented using the app tethering API. The RTL provides built-in support for IP and Classic Bluetooth connections. IP support includes connecting applications running on the same device.
You’ll find a wide range of App Tethering documentation and tutorials on the Embarcadero DocWiki:
RAD Studio XE8 supports using the Native HTTP libraries on multiple devices.
You can also use OpenSSL with your secure applications. http://docwiki.embarcadero.com/RADStudio/XE8/en/OpenSSL, https://www.openssl.org/
TurboPower LockBox 2 (Win32, Win64, Android, OSX) and LockBox 3.5.2 (Windows, Android, OSX) cryptography libraries/components. You can download and install the latest releases for RAD Studio XE8 using GetIt (Tools | GetIt) menu item in the IDE:
The foremost reason why Secure C Library came into existence was the need for bounds checking for string handling functions in the C Library. There are many functions in the C Library that expect the caller to supply string parameters long enough to hold the result of the operations. When a larger string is written "over" a smaller string, in fact data is written past the end, overwriting other program data. This can lead to "mysterious" failures, as the program has no means of knowing if or when something went wrong.
A typical solution was to try to use strings that were "big enough" but this could lead to two problems: either the result was a waste of space, or the user’s "big enough" was not big enough in practice. In addition, buffer overflows can be exploited in order to run harmful code, compromising the security of operating systems and networks.
For many C Run-time Library functions, the Secure C Library introduces extra parameters that are used for bounds checking of character arrays, and data is never written past the end of an array. Besides that, it introduces run-time constraints and the means for the user to set his own run-time violation handling functions. Doing so, the program can know when and where something goes wrong with a character array and can fix the error, or fail gracefully.
You can always call Windows SDK functionality even if we have not wrapped the API in our RTL or components. Here is the Microsoft SDK URL for CryptoAPI –
Cryptography API - https://msdn.microsoft.com/en-us/library/ms867086.aspx
IP*Works! By /n software
Internet components that are provided as part of the RAD Studio XE8 Registered User Downloads.
The full version of /n software’s IP*Works components - A comprehensive suite of components for Internet communications including more than 40 individual components covering every major Internet Protocol. IP*Works! eliminates the complexity of Internet development, providing easy-to-use, programmable components that facilitate tasks such as sending email, transferring files, managing networks, browsing the web, and consuming web services.
You can then purchase their addon packs for SSL, SSH and more at
Registered user download links:
- IP*Works for C++Builder XE8 - http://cc.embarcadero.com/item/30147
- IP*Works for Delphi XE8 - http://cc.embarcadero.com/item/30146
Project Indy Internet Components
Project Indy includes a range of components for RAD Studio XE8 supporting a wide range of Internet protocols, clients, servers and more. You can find additional information on our DocWiki about the components and how to secure Indy based network connections:
- Project Indy - http://docwiki.embarcadero.com/RADStudio/XE8/en/Indy
- Securing Indy connections - http://docwiki.embarcadero.com/RADStudio/XE8/en/Securing_Indy_Network_Connections
I will be covering additional RAD Studio XE8 secure development topics throughout the summer. Stay tuned for demos and articles on the above topics as well as secure development for REST, SOAP and other web based architectures.
Have a great Summer or Winter depending on which hemisphere you live it