Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Microsoft Writing Secure Code

from [priestmaster] Network Security [Permanent Link]
Subject: Re: Microsoft Writing Secure Code
Date: Thu, 6 Jan 2005 17:15:30 +0100 
Hi,

The third is the most secure I think. If you know how
exploitation of vulnerabillites work, you can secure it
easily. You need much security knowledge to create
complex and secure software. Security experts
also make mistakes and create security-releated
bugs. No one is perfect.

greets,

priestmaster
----- Original Message -----
From: "Damhuis Anton" <DamhuisA@aforbes.co.za>
To: <secprog@securityfocus.com>
Cc: "Michael Howard" <mikehow@microsoft.com>
Sent: Tuesday, January 04, 2005 10:52 AM
Subject: RE: Microsoft Writing Secure Code



I have read the book "Designing Secure Web-based Applications", found it
quite informative but also somewhat disappointing.

I was (at the time) looking for a book that assists with "writing secure
code". Thus how code should be written, not the way code interfaces with
security components.

Example:
What is the best way to display User Details:

~~Suedo code Begin ~~
Option 1:
If var_userLevel = USER then
   ... display User info
else
  ... Display Admin Info
end if



Option 2:
If var_userLevel = ADMIN then
   ... display Admin info
else
  ... Display User Info Info
end if



Option 3:
If var_userLevel = ADMIN then
   ... display Admin info
elseif var_userLevel = USER
  ... Display User Info Info
else
  ... Capture Error
end if

~~Suedo code End~~


To me it is Option 3. Somewhat more work, but a lot more secure, then Option
1. If for some reason someone else writes the code to get the variable for
var_userLevel , and that code is hackable, Option 3 will withstand the
attack a lot better then Option 1. Option 2 in this case would also be
better then Option 1, as Option 1 would display the Admin info for anybody
other then user. Option 2 in this case would revert back to the lower level
of access. Thus just structuring the If stament differently in Option 1 and
2, already makes the code more secure.

Also by logging all the errors in option 3's last "Else" statement one can
look for any thing overlooked initially (and capture any unknown hacker
attacks -although this is reactively)

Regards
  Anton


Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Microsoft Writing Secure Code, Ton Geurts
Next by Date:  RE: Microsoft Writing Secure Code, Damhuis Anton
Previous by Thread:  RE: Microsoft Writing Secure Code, Damhuis Anton
Next by Thread:  Re: Microsoft Writing Secure Code, George Capehart
Indexes:  [Date] [Thread] [Top] [All Lists]