Tipping The Scales Toward Secure Code
Everybody can use more secure code—and sometimes the best way to hone your skills is by listening to other programmers. Here are 18 tips offered by your fellow developers.Everybody can use more secure code—and sometimes the best way to hone your skills is to listen to other programmers. Here are 18 concise tips offered by your fellow developers, each a specific (and opinionated!) piece of advice that you can put to work immediately. You may not agree with all these suggestions, but each is worth contemplating. Be Careful What You Call
"If your application calls a DLL or another program, make sure you call it specifically," says Joshua Levy, senior software engineer for Reasoning Inc. in Mountain View, CA. "Dont rely on relative paths or search paths. The danger here is that you will end up calling a different program or DLL than you expected. This is the ultimate security flaw, because suddenly youre running a program or DLL written by the attacker! This is often a problem with inside jobs, where an employee is trying to get more permissions than he should, or [to] read data or files that he isnt allowed to read. We review other peoples code, and I see a huge amount of these sorts of errors." Levy writes programs to find and report such weaknesses. "Its better to check that the executable or DLL is what you expected, using signing or CRC," he suggests.