TR Forums

Flatland_Spider · Thu Aug 01, 2013 10:37 pm

I'm going to be taking a special interest this fall over secure programming techniques, and I was wondering if anyone had any particular favourite resources on the subject. I've found some resources, but I thought I would ask people who would know.

Found Resources:
CERT Secure Coding
FreeBSD Developers Handbook Ch.3 Secure Programming

Edit: I messed up a bracket.

Fri Aug 02, 2013 12:50 am

I think in many cases, it just comes down to having another set of (experienced) eyes looking at your code. Code reviews are valuable. And not just for spotting security holes; there are also a lot of potential corner cases that can cause general instability. Race conditions, ignoring error return values from library functions and system calls, timer rollovers in real-time systems, etc.

esc_in_ks · Fri Aug 02, 2013 1:16 am

You've found the CERT Secure Programming page which contains a wealth of information. Just in case you didn't notice it, CERT has a series of books (many of which are available online) that are language or environment specific (C programming, Java programming, what have you). As a quite experienced C programmer with 20 years of in the trenches experience, there were things in the CERT C secure programming book that I didn't know or that I thought I knew but found my knowledge slightly off. If it makes sense, I'd suggest going deep in a book in your area of expertise.

Flatland_Spider · Fri Aug 02, 2013 2:23 pm

just brew it! wrote:
I think in many cases, it just comes down to having another set of (experienced) eyes looking at your code. Code reviews are valuable. And not just for spotting security holes; there are also a lot of potential corner cases that can cause general instability. Race conditions, ignoring error return values from library functions and system calls, timer rollovers in real-time systems, etc.

Definitely. I'm trying to get to the experienced part. Well, at least knowledgeable.

I would also like to write some code that exploits the vulnerabilities, so I can do some before and after examples.

@esc_in_ks
Good to know.

Aphasia · Fri Aug 02, 2013 6:51 pm

Security is one of those things that you need to have in mind as an overall methodology over the whole development, including design, building and review/testing. Doing it as an afterthought or fix on something already built usually leads to bad results or at least incomplete coverage.

Not having that process in use, is one of the things that leads to the tons of vulnerabilities that are available in various kinds of software. Just looking at a bunch of other software and known exploits can easily let you see parts of what is needed to be vary against.

Cert is a really good start, and you should really take a look at/subscribe to OWASP.
http://en.wikipedia.org/wiki/OWASP
https://www.owasp.org/index.php/Main_Page

If you are interested in the testing and more the penetration-testing part of it, the metasploit framework and backtrack is a good starting point for open source solutions, but that is just about a whole discipline in itself and people take a lot of time in specializing skills around that. Not to mention the commercial software used for exploitation usually are VERY expensive and also revolves not only on the testing part, but also the accounting and documentation of said tests. Another part of that piece is vulnerability testing which is often used as a precursor to actual pentesting in that you usually scan for vulnerabilities first before you determine how to use them, etc.

Flatland_Spider · Fri Aug 02, 2013 7:32 pm

Aphasia wrote:
Security is one of those things that you need to have in mind as an overall methodology over the whole development, including design, building and review/testing. Doing it as an afterthought or fix on something already built usually leads to bad results or at least incomplete coverage.

I agree. I'm hoping this will be an introduction into that, and I'll pick up a bunch of good resources. There is tons of stuff out there about writing code, but there isn't as much about writing code defensively to prevent vulnerabilities. I feel this is a gap in my knowledge, and I'm like to fill it in, a little bit.

The idea is. I'll write some vulnerable code, and write a test for it to show that it's broken. Then write some good code and show the test doesn't work.

Not having that process in use, is one of the things that leads to the tons of vulnerabilities that are available in various kinds of software. Just looking at a bunch of other software and known exploits can easily let you see parts of what is needed to be vary against.

I really admire what the OpenBSD guys have done for advancing security practices. Now that I think about it, I should see what guidelines the OpenBSD project has for code.

Cert is a really good start, and you should really take a look at/subscribe to OWASP.
http://en.wikipedia.org/wiki/OWASP
https://www.owasp.org/index.php/Main_Page

I'd forgotten about OWASP. I remember seeing some criticisms about it being out of date. Any thoughts?

If you are interested in the testing and more the penetration-testing part of it, the metasploit framework and backtrack is a good starting point for open source solutions, but that is just about a whole discipline in itself and people take a lot of time in specializing skills around that. Not to mention the commercial software used for exploitation usually are VERY expensive and also revolves not only on the testing part, but also the accounting and documentation of said tests. Another part of that piece is vulnerability testing which is often used as a precursor to actual pentesting in that you usually scan for vulnerabilities first before you determine how to use them, etc.

Hmmm.... The testing part may be more complicated than I thought.

I'd like to get a base working knowledge of pen-testing, but I'm going to save that for later. I'm trying to temper my ambitions and keep my goals manageable. It would be fun, but it may be a bit much for three credit hours. I have a full time job, and I'll be taking AI in addition to this.

Flatland_Spider · Fri Aug 02, 2013 7:33 pm

Flatland_Spider wrote:
Aphasia wrote:
Security is one of those things that you need to have in mind as an overall methodology over the whole development, including design, building and review/testing. Doing it as an afterthought or fix on something already built usually leads to bad results or at least incomplete coverage.

I agree. I'm hoping this will be an introduction into that, and I'll pick up a bunch of good resources. There is tons of stuff out there about writing code, but there isn't as much about writing code defensively to prevent vulnerabilities. I feel this is a gap in my knowledge, and I'd like to fill it in, a little bit.

The idea is. I'll write some vulnerable code, and write a test for it to show that it's broken. Then write some good code and show the test doesn't work.

Not having that process in use, is one of the things that leads to the tons of vulnerabilities that are available in various kinds of software. Just looking at a bunch of other software and known exploits can easily let you see parts of what is needed to be vary against.

I really admire what the OpenBSD guys have done for advancing security practices. Now that I think about it, I should see what guidelines the OpenBSD project has for code.

Cert is a really good start, and you should really take a look at/subscribe to OWASP.
http://en.wikipedia.org/wiki/OWASP
https://www.owasp.org/index.php/Main_Page

I'd forgotten about OWASP. I remember seeing some criticisms about it being out of date. Any thoughts?

If you are interested in the testing and more the penetration-testing part of it, the metasploit framework and backtrack is a good starting point for open source solutions, but that is just about a whole discipline in itself and people take a lot of time in specializing skills around that. Not to mention the commercial software used for exploitation usually are VERY expensive and also revolves not only on the testing part, but also the accounting and documentation of said tests. Another part of that piece is vulnerability testing which is often used as a precursor to actual pentesting in that you usually scan for vulnerabilities first before you determine how to use them, etc.

Hmmm.... The testing part may be more complicated than I thought.

I'd like to get a base working knowledge of pen-testing, but I'm going to save that for later. I'm trying to temper my ambitions and keep my goals manageable. It would be fun, but it may be a bit much for three credit hours. I have a full time job, and I'll be taking AI in addition to this.

Aphasia · Fri Aug 02, 2013 9:02 pm

One of the points of OWASP is activities, newsfeeds and participation in the community. I have former colleges that has been quite involved in the local chapter here but haven't been involved with OWASP much myself so far since I don't generally work with code reviews or coding myself. For the same reason, and that I haven't seen the criticism, I cant really say much of how in/out of date it is. But while specifics can get out of date quite quickly, the basic need and fundamental processes shouldn't be that different.

TR Forums

Secure Programming

Secure Programming

Re: Secure Programming

Re: Secure Programming

Re: Secure Programming

Re: Secure Programming

Re: Secure Programming

Re: Secure Programming

Re: Secure Programming

Who is online