Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Inspecting Code for Security

from [Aleksander P. Czarnowski] Network Security [Permanent Link]
Subject: RE: Inspecting Code for Security
Date: Tue, 21 Sep 2004 20:57:51 +0200 
With security in mind what things other things should I be 
looking for in a code inspection? I can think of the following, 
but I'm sure there are others:
- buffers that could be overflowed
- ensuring all input is validated (checked to ensure it is of the proper
type & format) 
- ensuring passwords & other encrypted date is not stored 
unencrypted in memory
- ensuring strong encryption is used
- ensuring no easter eggs / backdoors are left in the code
- ???

I would say that the final list of objectives should be business driven, in 
turn this translates to application functionality and business functions it 
provides. From there you will get a good perspective on architecture that would 
further drive creation of your checklist. You can also start from the other end 
and just take a look at some secure programming checklist that are already 
available, but keep in mind that while some of them are very comprehensive most 
of them will not necessary meet your business objectives right away. Another 
thing that is usually overlooked is a final execution environment for the code. 
You need to know how and where your code will be use to better address possible 
recommendations or new safeguard introduction.
Best Regards
Aleksander Czarnowski
AVET INS
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Inspecting Code for Security, Juergen Brauckmann
Next by Date:  Re: "Selling" a code-audit., Jerry Connolly
Previous by Thread:  Re: Inspecting Code for Security, Juergen Brauckmann
Next by Thread:  Re: Inspecting Code for Security, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]