Everybody can use more secure code—and sometimes the best way to hone your skills is to listen to other programmers. Here are 18 concise tips offered by your fellow developers, each a specific (and opinionated!) piece of advice that you can put to work immediately. You may not agree with all these suggestions, but each is worth contemplating.
Be Careful What You Call
“If your application calls a DLL or another program, make sure you call it specifically,” says Joshua Levy, senior software engineer for Reasoning Inc. in Mountain View, CA. “Dont rely on relative paths or search paths. The danger here is that you will end up calling a different program or DLL than you expected. This is the ultimate security flaw, because suddenly youre running a program or DLL written by the attacker! This is often a problem with inside jobs, where an employee is trying to get more permissions than he should, or [to] read data or files that he isnt allowed to read. We review other peoples code, and I see a huge amount of these sorts of errors.” Levy writes programs to find and report such weaknesses. “Its better to check that the executable or DLL is what you expected, using signing or CRC,” he suggests.
“Get someone to review your code specifically for security,” reccomends Levy. “Weve got huge QA departments that look for defects, but we dont have similar organizations that look for security vulnerabilities. Companies dont spend money unless they can see the value. When your security audit is done by a third party, you get the benefit of their expertise without the danger of your internal politics.”