Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Microsoft Writing Secure Code

from [Michael Howard] Network Security [Permanent Link]
Subject: RE: Microsoft Writing Secure Code
Date: Tue, 4 Jan 2005 07:51:52 -0800 
If you want a book on writing secure code then, "designing secure web
apps" is *Not* the book you need (hence the title!) you need "Writing
Secure Code 2nd Ed", (hence the title :)

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard

[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074


-----Original Message-----
From: Damhuis Anton [mailto:DamhuisA@aforbes.co.za] 
Sent: Tuesday, January 04, 2005 1:53 AM
To: secprog@securityfocus.com
Cc: Michael Howard
Subject: RE: Microsoft Writing Secure Code


I have read the book "Designing Secure Web-based Applications", found it
quite informative but also somewhat disappointing.

I was (at the time) looking for a book that assists with "writing secure
code". Thus how code should be written, not the way code interfaces with
security components.

Example:
What is the best way to display User Details:

~~Suedo code Begin ~~
Option 1:
If var_userLevel = USER then
   ... display User info
else
  ... Display Admin Info
end if



Option 2:
If var_userLevel = ADMIN then
   ... display Admin info
else
  ... Display User Info Info
end if



Option 3:
If var_userLevel = ADMIN then
   ... display Admin info
elseif var_userLevel = USER
  ... Display User Info Info
else
  ... Capture Error
end if

~~Suedo code End~~



To me it is Option 3. Somewhat more work, but a lot more secure, then
Option 1. If for some reason someone else writes the code to get the
variable for var_userLevel , and that code is hackable, Option 3 will
withstand the attack a lot better then Option 1. Option 2 in this case
would also be better then Option 1, as Option 1 would display the Admin
info for anybody other then user. Option 2 in this case would revert
back to the lower level of access. Thus just structuring the If stament
differently in Option 1 and 2, already makes the code more secure.

Also by logging all the errors in option 3's last "Else" statement one
can look for any thing overlooked initially (and capture any unknown
hacker attacks -although this is reactively)

Regards
  Anton


Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Published Papers, Rocky Heckman
Next by Date:  RE: Microsoft Writing Secure Code, Damhuis Anton
Previous by Thread:  Published Papers, Rocky Heckman
Next by Thread:  RE: Microsoft Writing Secure Code, Damhuis Anton
Indexes:  [Date] [Thread] [Top] [All Lists]