I was curious - to all the professional programmers, how much thought and effort is put into application security. What did you do and how did you implement it? How/ at what point did you start learning about security?
For the students, how many of you have taken a programming security class, and how useful did you find it?
10 2389
Surprisingly little (which is BAD considering I actually work in a division dedicated to security)......
I might blame some of this on instinctively secure code [as if] (though I'm sure there are some very bad examples of my code in some of these forums).
The powers that be have insisted we do courses in programming securely (which have been completed), and I keep a Secure Programming Cookbook at my desk (who knows, one day I might be tempted to read it).
On a more serious note, though, we (thankfully) have some very experienced senior "engineers/developers/programmers" (let's noit start that one again) on our team. As my employers believe in ODC (Orthogonal Defect Classification) we have inspections (of Documents as well, not only code), and the Seniour Engies tend to pick up on most of our bad habits (unless they are just justifying their positions as senior engineers and picking on my code for no reason ;) )
For the students, how many of you have taken a programming security class, and how useful did you find it?
Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull.
Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull.
Yeah, it was only briefly touched on in my grad-level java class, which I found surprising. Most of the "security techniques" (except for the general concepts of interfaces and indirect instantiation) I learned were after that class...
What is usually overlooked in security matters are the security breaches 'from inside'. By this I mean that programs must also be checked for deliberate security violations by their developers. And that is sometimes very difficult to detect.
From my experience as internal assets and security manager, I sometimes found that people had built in so-called 'trapdoor' routines in the code, which would give them access, from outside, to sensitive parts of routines by just specifying a secret code or sequence of numbers. Often after they had regularly logged in to a site.
Is there anyone out there who has any experience with that sort of situation?
Ronald
I was curious - to all the professional programmers, how much thought and effort is put into application security. What did you do and how did you implement it? How/ at what point did you start learning about security?
For the students, how many of you have taken a programming security class, and how useful did you find it?
I was taught basic things like how to validate data and how to set file permissions but I never was taught application security in school. I really wish I had taken a course or two on the subject because now I'm working in the real world and I'm trying to secure a web application and I had no idea where to begin.
I've started going through the checklists that are provided by MSDN to make sure I've covered all the obvious things they suggest you check over when developing an application. I think I've only gotten through the first 5 checks.
I've spent about a month now learning about application security and trying to apply it to my application.
I find it very overwhelming.
I have so much to learn and barely have my basics covered.
I wish there was a security forum here that could help out.
-Frinny
To add to your confusion: have a look at the website of the Open Web Application Security Project (OWASP). They do a lot of work regarding web security.
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.
They can be found at OWASP Home
Ronald
I must say (possibly irrelevnatly), that the Secure Coding course I did (had to do) focussed on three main points:
Avoiding Buffe Overflow (and related attacks)
Avoiding Attacks using formatted Strings
Failing "closed"
As well as more trivial issues of checking Password length before value (if you want to check that $A is equal to $B (sorry for the BASIC terminology), you shouldn't check the similarities over the length of either (and especially not the input value), but rather confirm they are the same length and then make the check.....and probably loads of other thiongs which I only subconsciously remember/....
Really it is very important subject,especially for those persond who develops a real softwars and then cann't find a best way for security.
Really it is very important subject,especially for those persond who develops a real softwars and then cann't find a best way for security.
I just started reading 'Exploiting Software' by Hoglund and McGraw, and it's an excellent resource to gain the 'attacker's point of view'. Not too much of a guide on how to fix things, but it definitely gets the reader more aware of the types of attacks out there, and the things that combine to make a successful attack.
Too bad that even 'safe' languages such as Java use a notation sometimes that
make it extremely easy to cause disasters accidentally: -
PowerPlant harrisburg= new PowerPlant();
-
if (harrisburg.isSafe() && harrisburg.switchOn())
-
System.out.println("Everything ok here");
Now forget one single '&' (just a typo) and see what happens ...
kind regards,
Jos
Sign in to post your reply or Sign up for a free account.
Similar topics
by: John |
last post by:
Hi All,
I have written an application generator that allows developers to
build business applications for MS SQL Server in just a fraction of
the time it used to take. All you need to do is...
|
by: Andreas C. Andreou |
last post by:
I am new to dotnet programming and I face a problem with a Windows Forms
application i did when I try to run it on a Windows 2000 Terminal Server.
The application can be run only by administrators...
|
by: Davey |
last post by:
I am planning on developing an application which will involve skills that I
have very little experience of - therefore I would appreciate comments on my
initial design thoughts.
Overview on...
|
by: Nate |
last post by:
I am looking for any advice on migrating an existing VB.Net application to ASP.Net.
What is the easiest method for moving the GUI forms to ASP.Net?
The forms only use standard winform controls that...
|
by: Arthur van Dorp |
last post by:
Hi all
This is a bit off topic but I don't know where else to ask (please tell
me if you know). I'm going to build a web application. The choice of the
underlying database wasn't difficult....
|
by: Oldie |
last post by:
I have built an MS Access Application under MS Office XP (but I also
own MS Office 2000). I have split the application in the pure database
tables and all the queries, forms, reports and macro's.
...
|
by: Gil |
last post by:
I need to create a web page in which its content should be controlled by
some win32 application. this application may add or remove some gif images
from the page and it should be smooth as possible...
|
by: esha |
last post by:
I have ASP.NET 2 hosting. I created my first simple WEB application from
Personal WEB Starter Kit template.
Everything works fine on my local machine.
I uploaded all files to the hosting server....
|
by: Joseph Geretz |
last post by:
I created a new Application Pool for my ASP.NET application since I want it
to run under a specific user identity with privileges to access the
application database. (I don't want to grant access...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |