次の方法で共有

Writing Secure Code

  • [アーティクル]

Michael Howard writes about habits for developing secure code in the November 2006 issue of MSDN Magazine (https://msdn.microsoft.com/msdnmag/issues/06/11/SecureHabits/default.aspx).  Interesting enough, I just started reading his book on the Security Development Lifecycle and in the few pages that I have read so far, I think I would already recommend it to anyone who deals with writing software (there are very good insights on how to position the need for security to management/stakeholders as well).

One tip that I always like to stress is to always code for what you know is correct.  I've seen so many people do this:

if (input is bad #1) || (input is bad #2) || (input is bad #3)
{
    // reject input
}
else
{
    // input deemed non-malicious, do processing
}

Which is a good first step to input validation but is inherently insecure - there's no way that you can think of *all* of the various malicious inputs.  A better way would be to code for what you know is correct.  This is easily achieved with regular expressions.

if (input is good #1) || (input is good #2)
{
    // do processing
}
else
{
    // reject input
}

In line with this, I'd like to invite you all to attend the upcoming MSDN Connection Evening on Nov 30: https://mssg.earth9.com/singapore/edm/2006/11/02/msdn.html

Comments

  • Anonymous
    November 05, 2006
    One of the reason why codes are getting less secure (or has it been secured before anyway?) is due to the stuff that is taught in school. At least from my perspective, no formal security modules are available and in all programming related modules, security is of the least priority over features. Whe the IHL start churning out army of coders without proper training in secure coding habits, what in turn produce a new generation of insecure codes. Too much emphasis is put in churning out nice reports and wonderful features in school that the most important aspect of any production codes (security) has been overlooked.

  • Anonymous
    November 05, 2006
    That's a very good point Yizhe.  I'm trying to educate as many people as possible with regards to the importance secure coding.  As you know we're doing a number of talks on and off campus with developer security as the focus.