Software Integrity

Archive for the 'Secure Coding Guidelines' Category

 

Is your software MISRA clean?

“Scalpel.” “Scalpel.” “Let’s make the incision … There we go …  Spreader.” “Spreader.” “Good. A little wider. Like that. Metzenbaum.” “Metzenbaum.” “There we are. We’re at the DIVIDE_BY_ZERO site. As you can see, it starts here, and follows this path here. We’ll remove it … gently … nice, a clean extraction. Now, let’s graft in […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Security Standards and Compliance, Software Quality, Vulnerability Assessment | Comments Off on Is your software MISRA clean?

 

Meet Auntie MISRA

Seems we all have one: that distant aunt. You know the one I’m talking about. Always dressed to the nines. Always perfectly coiffured. Every detail just so. And that tiny Jack Russell that did tricks on command, never yapped (unless told to “speak”), and was always at her side, springing up to her lap when she pulled out […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Security Standards and Compliance | Comments Off on Meet Auntie MISRA

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new […]

Continue Reading...

Posted in Secure Coding Guidelines, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

Learn defensive programming for HTML5 in a day

HTML5 is the fifth revision of the HTML standard. HTML5 and its integration with JavaScript introduce new security risks that require careful consideration when writing web front-end code. Modern web-based software, including mobile web front-end applications, make heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their […]

Continue Reading...

Posted in Secure Coding Guidelines, Security Training | Comments Off on Learn defensive programming for HTML5 in a day

 

Securing URL redirects

(This is a guest post by Synopsys consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side […]

Continue Reading...

Posted in OWASP, Secure Coding Guidelines, Software Security Testing | Comments Off on Securing URL redirects

 

Busting the SQL stored procedure myth

One of the commonly proposed remedies for SQL Injection is to use SQL stored procedures. Use of stored procedures can greatly reduce the likelihood that you’ll code an SQL injection, but it’s not the stored procedure-ness that’s saving you. Stored procedures let you use Static-SQL instead of forcing you to always use Dynamic-SQL. In Static-SQL […]

Continue Reading...

Posted in Secure Coding Guidelines | Comments Off on Busting the SQL stored procedure myth