Software Security

Archive for March 2007

 

Badness-ometers are good. Do you own one?

Never one to mince words, I coined the term badness-ometer to describe “application security testing tools” like the ones made by SPI Dynamics and Watchfire. For whatever reason, people read more into the term than I intended. I guess they see the term as having only negative connotations. I stick by my nomenclature–black box application […]

Continue Reading...

Posted in Application Security, Web Application Security | Comments Off on Badness-ometers are good. Do you own one?

 

Busting the SQL stored procedure myth

One of the commonly proposed remedies for SQL Injection is to use SQL stored procedures. Use of stored procedures can greatly reduce the likelihood that you’ll code an SQL injection, but it’s not the stored procedure-ness that’s saving you. Stored procedures let you use Static-SQL instead of forcing you to always use Dynamic-SQL. In Static-SQL […]

Continue Reading...

Posted in Secure Coding Guidelines | Comments Off on Busting the SQL stored procedure myth

 

Aspect-oriented service architecture: ‘Built in’ or ‘bolted on’ security?

I’ve been looking at how people have been implementing input validation and entitlement evaluation within service-oriented architectures (SOA). One of the nice properties of an SOA is service composition, so transformation and validation can be implemented as an independent utility service and then composed with other services. But service composition has the drawback that one […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Aspect-oriented service architecture: ‘Built in’ or ‘bolted on’ security?