Application Security Programming 
March 1st, 2007, 04:41 PM
|  | Moderator | | Join Date: Nov 2006 Location: USA
Posts: 3,927
| | |
I was curious - to all the professional programmers, how much thought and effort is put into application security. What did you do and how did you implement it? How/ at what point did you start learning about security?
For the students, how many of you have taken a programming security class, and how useful did you find it?
|
March 2nd, 2007, 07:24 AM
|  | Lives Here | | Join Date: Nov 2006 Location: Adelaide, SA
Posts: 1,752
| | | re: Application Security Programming
Surprisingly little (which is BAD considering I actually work in a division dedicated to security)......
I might blame some of this on instinctively secure code [as if] (though I'm sure there are some very bad examples of my code in some of these forums).
The powers that be have insisted we do courses in programming securely (which have been completed), and I keep a Secure Programming Cookbook at my desk (who knows, one day I might be tempted to read it).
On a more serious note, though, we (thankfully) have some very experienced senior "engineers/developers/programmers" (let's noit start that one again) on our team. As my employers believe in ODC (Orthogonal Defect Classification) we have inspections (of Documents as well, not only code), and the Seniour Engies tend to pick up on most of our bad habits (unless they are just justifying their positions as senior engineers and picking on my code for no reason ;) )
|
March 8th, 2007, 12:58 AM
| | Expert | | Join Date: Oct 2006 Location: NC
Posts: 1,723
| | | re: Application Security Programming
Quote: |
Originally Posted by sicarie For the students, how many of you have taken a programming security class, and how useful did you find it? | Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull.
|
March 8th, 2007, 01:40 AM
| | Moderator | | Join Date: Nov 2006 Location: USA
Posts: 3,927
| | | re: Application Security Programming
Quote: |
Originally Posted by AricC Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull. | Yeah, it was only briefly touched on in my grad-level java class, which I found surprising. Most of the "security techniques" (except for the general concepts of interfaces and indirect instantiation) I learned were after that class...
|
March 9th, 2007, 01:03 AM
|  | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: Application Security Programming
What is usually overlooked in security matters are the security breaches 'from inside'. By this I mean that programs must also be checked for deliberate security violations by their developers. And that is sometimes very difficult to detect.
From my experience as internal assets and security manager, I sometimes found that people had built in so-called 'trapdoor' routines in the code, which would give them access, from outside, to sensitive parts of routines by just specifying a secret code or sequence of numbers. Often after they had regularly logged in to a site.
Is there anyone out there who has any experience with that sort of situation?
Ronald
|
March 9th, 2007, 07:55 PM
|  | Site Moderator | | Join Date: Oct 2006 Location: The Great White North :)
Posts: 4,940
Provided Answers: 8 | | | re: Application Security Programming
Quote: |
Originally Posted by sicarie I was curious - to all the professional programmers, how much thought and effort is put into application security. What did you do and how did you implement it? How/ at what point did you start learning about security?
For the students, how many of you have taken a programming security class, and how useful did you find it? | I was taught basic things like how to validate data and how to set file permissions but I never was taught application security in school. I really wish I had taken a course or two on the subject because now I'm working in the real world and I'm trying to secure a web application and I had no idea where to begin.
I've started going through the checklists that are provided by MSDN to make sure I've covered all the obvious things they suggest you check over when developing an application. I think I've only gotten through the first 5 checks.
I've spent about a month now learning about application security and trying to apply it to my application.
I find it very overwhelming.
I have so much to learn and barely have my basics covered.
I wish there was a security forum here that could help out.
-Frinny
|
March 10th, 2007, 11:37 AM
| | Moderator | | Join Date: Jul 2006 Location: The Netherlands
Posts: 4,139
| | | re: Application Security Programming
To add to your confusion: have a look at the website of the Open Web Application Security Project (OWASP). They do a lot of work regarding web security. Quote: |
Originally Posted by OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. | They can be found at OWASP Home
Ronald
|
March 11th, 2007, 12:46 PM
| | Lives Here | | Join Date: Nov 2006 Location: Adelaide, SA
Posts: 1,752
| | | re: Application Security Programming
I must say (possibly irrelevnatly), that the Secure Coding course I did (had to do) focussed on three main points:
Avoiding Buffe Overflow (and related attacks)
Avoiding Attacks using formatted Strings
Failing "closed"
As well as more trivial issues of checking Password length before value (if you want to check that $A is equal to $B (sorry for the BASIC terminology), you shouldn't check the similarities over the length of either (and especially not the input value), but rather confirm they are the same length and then make the check.....and probably loads of other thiongs which I only subconsciously remember/....
|
March 30th, 2007, 03:37 PM
| | Newbie | | Join Date: Mar 2007
Posts: 4
| | | re: Application Security Programming
Really it is very important subject,especially for those persond who develops a real softwars and then cann't find a best way for security.
|
March 30th, 2007, 03:57 PM
| | Moderator | | Join Date: Nov 2006 Location: USA
Posts: 3,927
| | | re: Application Security Programming
Quote: |
Originally Posted by Abaset Really it is very important subject,especially for those persond who develops a real softwars and then cann't find a best way for security. | I just started reading 'Exploiting Software' by Hoglund and McGraw, and it's an excellent resource to gain the 'attacker's point of view'. Not too much of a guide on how to fix things, but it definitely gets the reader more aware of the types of attacks out there, and the things that combine to make a successful attack.
|
April 3rd, 2007, 04:12 PM
|  | Expert | | Join Date: Mar 2007
Posts: 10,634
Provided Answers: 2 | | | re: Application Security Programming
Too bad that even 'safe' languages such as Java use a notation sometimes that
make it extremely easy to cause disasters accidentally: -
PowerPlant harrisburg= new PowerPlant();
-
if (harrisburg.isSafe() && harrisburg.switchOn())
-
System.out.println("Everything ok here");
Now forget one single '&' (just a typo) and see what happens ...
kind regards,
Jos
|  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 225,702 network members.
|
