Application Security Programming

**DeMan** · Mar 2 '07, 07:24 AM

Surprisingly little (which is BAD considering I actually work in a division dedicated to security)......
I might blame some of this on instinctively secure code [as if] (though I'm sure there are some very bad examples of my code in some of these forums).
The powers that be have insisted we do courses in programming securely (which have been completed), and I keep a Secure Programming Cookbook at my desk (who knows, one day I might be tempted to read it).

On a more serious note, though, we (thankfully) have some very experienced senior "engineers/developers/programmers" (let's noit start that one again) on our team. As my employers believe in ODC (Orthogonal Defect Classification) we have inspections (of Documents as well, not only code), and the Seniour Engies tend to pick up on most of our bad habits (unless they are just justifying their positions as senior engineers and picking on my code for no reason ;) )

**AricC** · Mar 8 '07, 12:58 AM

Originally posted by sicarie

For the students, how many of you have taken a programming security class, and how useful did you find it?

Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull.

**sicarie** · Mar 8 '07, 01:40 AM

Originally posted by AricC

Actually, security was never really a discussion in any of my programming classes. I think it would have been extremely usefull.

Yeah, it was only briefly touched on in my grad-level java class, which I found surprising. Most of the "security techniques" (except for the general concepts of interfaces and indirect instantiation) I learned were after that class...

**ronverdonk** · Mar 9 '07, 01:03 AM

What is usually overlooked in security matters are the security breaches 'from inside'. By this I mean that programs must also be checked for deliberate security violations by their developers. And that is sometimes very difficult to detect.

From my experience as internal assets and security manager, I sometimes found that people had built in so-called 'trapdoor' routines in the code, which would give them access, from outside, to sensitive parts of routines by just specifying a secret code or sequence of numbers. Often after they had regularly logged in to a site.

Is there anyone out there who has any experience with that sort of situation?

Ronald

**Frinavale** · Mar 9 '07, 07:55 PM

Originally posted by sicarie

I was curious - to all the professional programmers, how much thought and effort is put into application security. What did you do and how did you implement it? How/ at what point did you start learning about security?

For the students, how many of you have taken a programming security class, and how useful did you find it?

I was taught basic things like how to validate data and how to set file permissions but I never was taught application security in school. I really wish I had taken a course or two on the subject because now I'm working in the real world and I'm trying to secure a web application and I had no idea where to begin.

I've started going through the checklists that are provided by MSDN to make sure I've covered all the obvious things they suggest you check over when developing an application. I think I've only gotten through the first 5 checks.

I've spent about a month now learning about application security and trying to apply it to my application.
I find it very overwhelming.
I have so much to learn and barely have my basics covered.

I wish there was a security forum here that could help out.

-Frinny

**ronverdonk** · Mar 10 '07, 11:37 AM

To add to your confusion: have a look at the website of the Open Web Application Security Project (OWASP). They do a lot of work regarding web security.

Originally posted by OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

They can be found at OWASP Home

Ronald

**DeMan** · Mar 11 '07, 11:46 AM

I must say (possibly irrelevnatly), that the Secure Coding course I did (had to do) focussed on three main points:

Avoiding Buffe Overflow (and related attacks)
Avoiding Attacks using formatted Strings
Failing "closed"

As well as more trivial issues of checking Password length before value (if you want to check that $A is equal to $B (sorry for the BASIC terminology), you shouldn't check the similarities over the length of either (and especially not the input value), but rather confirm they are the same length and then make the check.....and probably loads of other thiongs which I only subconsciously remember/....

**Abaset** · Mar 30 '07, 02:37 PM

Really it is very important subject,especia lly for those persond who develops a real softwars and then cann't find a best way for security.

**sicarie** · Mar 30 '07, 02:57 PM

Originally posted by Abaset

Really it is very important subject,especia lly for those persond who develops a real softwars and then cann't find a best way for security.

I just started reading 'Exploiting Software' by Hoglund and McGraw, and it's an excellent resource to gain the 'attacker's point of view'. Not too much of a guide on how to fix things, but it definitely gets the reader more aware of the types of attacks out there, and the things that combine to make a successful attack.

**JosAH** · Apr 3 '07, 03:12 PM

Too bad that even 'safe' languages such as Java use a notation sometimes that
make it extremely easy to cause disasters accidentally:

Code:

PowerPlant harrisburg= new PowerPlant();
if (harrisburg.isSafe() && harrisburg.switchOn())
   System.out.println("Everything ok here");

Now forget one single '&' (just a typo) and see what happens ...

kind regards,

Jos

Application Security Programming

Application Security Programming

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment