“Scalpel.” “Scalpel.” “Let’s make the incision … There we go … Spreader.” “Spreader.” “Good. A little wider. Like that. Metzenbaum.” “Metzenbaum.” “There we are. We’re at the DIVIDE_BY_ZERO site. As you can see, it starts here, and follows this path here. We’ll remove it … gently … nice, a clean extraction. Now, let’s graft in […]
Seems we all have one: that distant aunt. You know the one I’m talking about. Always dressed to the nines. Always perfectly coiffured. Every detail just so. And that tiny Jack Russell that did tricks on command, never yapped (unless told to “speak”), and was always at her side, springing up to her lap when she pulled out […]
There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new […]
Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]
Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.
(This is a guest post by Synopsys consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side […]
One of the commonly proposed remedies for SQL Injection is to use SQL stored procedures. Use of stored procedures can greatly reduce the likelihood that you’ll code an SQL injection, but it’s not the stored procedure-ness that’s saving you. Stored procedures let you use Static-SQL instead of forcing you to always use Dynamic-SQL. In Static-SQL […]
Posted in Secure Coding Guidelines | Comments Off on Busting the SQL stored procedure myth