Flylib.com
Writing Secure Code, Second Edition
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors:
Michael Howard
,
David LeBlanc
BUY ON AMAZON
Cover
LOC Page
Dedication
Foreword
Acknowledgments
Introduction
Who Should Read This Book
Organization of This Book
About the Companion CD
System Requirements
Disclaimer
The Need for Secure Systems
Applications on the Wild Wild Web
Getting Everyone s Head in the Game
Some Ideas for Instilling a Security Culture
Designing Secure Systems
Two Common Security Mistakes
Security Principles to Live By
Security Design by Threat Modeling
Security Techniques
Back to the Example Payroll Application
A Cornucopia of Threats and Solutions
Public Enemy 1: The Buffer Overrun
Static Buffer Overruns
Heap Overruns
Array Indexing Errors
Format String Bugs
Unicode and ANSI Buffer Size Mismatches
Preventing Buffer Overruns
Good News on the Horizon
Determining Good Access Control
Why ACLs Are Important
What Makes Up an ACL?
A Method of Choosing Good ACLs
Creating ACLs
NULL DACLs and Other Dangerous ACE Types
Other Access Control Mechanisms
Running with Least Privilege
Least Privilege in the Real World
Brief Overview of Access Control
Brief Overview of Privileges
Brief Overview of Tokens
How Tokens, Privileges, SIDs, ACLs, and Processes Relate
A Process for Determining Appropriate Privilege
Low-Privilege Service Accounts in Windows XP and Windows .NET Server
Debugging Least-Privilege Issues
Cryptographic Foibles
Using Poor Random Numbers
Using Passwords to Derive Cryptographic Keys
Poor Key Management
Rolling Your Own Cryptographic Functions
Using the Same Stream-Cipher Encryption Key
Bit-Flipping Attacks Against Stream Ciphers
Reusing a Buffer for Plaintext and Ciphertext
Storing Secrets
Attack Methods
Sometimes You Don t Need to Store a Secret
Getting the Secret from the User
Storing Secrets in Windows 2000 and Windows XP
Storing Secrets in Windows NT 4
Storing Secrets in Windows 95, Windows 98, Windows Me, and Windows CE
Raising the Security Bar
An Idea: Using External Devices to Encrypt Secret Data
Canonical Representation Issues
What Does Canonical Mean, and Why Is It a Problem?
A Bit of History
Common Windows Canonicalization Mistakes
Preventing Canonicalization Mistakes
A Final Thought: Non-File-Based Canonicalization Issues
Socket Security
Avoiding Server Hijacking
Choosing Server Interfaces
Accepting Connections
Writing Firewall-Friendly Applications
Spoofing and Host-Based and Port-Based Trust
Securing RPC, ActiveX Controls, and DCOM
An RPC Primer
Secure RPC Best Practices
Secure DCOM Best Practices
An ActiveX Primer
Secure ActiveX Best Practices
Protecting Against Denial of Service Attacks
Application Failure Attacks
CPU Starvation Attacks
Memory Starvation Attacks
Resource Starvation Attacks
Network Bandwidth Attacks
Securing Web-Based Services
Never Trust User Input
Web-Specific Canonicalization Bugs
Other Web-Based Security Topics
Writing Secure .NET Code
Buffer Overruns and the Common Language Runtime
Storing Secrets in .NET
Always Demand Appropriate Permissions
Overzealous Use of Assert
Further Information Regarding Demand and Assert
Don t Be Afraid to Refuse Permissions
Validate Data from Untrusted Sources
Be Thread-Aware in ASP.NET
Disable Tracing and Debugging Before Deploying ASP.NET Applications
Generating Good Random Numbers by Using the .NET Framework
Deserializing Data from Untrusted Sources
Don t Tell the Attacker Too Much When You Fail
SOAP Ponderings
Some Final Thoughts
Testing Secure Applications
The Role of the Security Tester
Security Testing Is Different
Getting Started
Building the Security Test Plan
Testing Clients with Rogue Servers
Should a User See or Modify That Data?
Testing with Security Templates
Test Code Should Be of Great Quality
Test the End-to-End Solution
Slightly Off-Topic: Code Reviews
Secure Software Installation
Principle of Least Privilege
Using the Security Configuration Editor
Low-Level Security APIs
General Good Practices
Protecting Customer Privacy
Don t Tell the Attacker Anything
Double-Check Your Error Paths
Keep It Turned Off
Kernel-Mode Mistakes
Consider Adding Security Comments to Code
Leverage the Operating System
Don t Rely on Users Making Good Decisions
Calling CreateProcess Securely
Don t Create SharedWritable Segments
Using Impersonation Functions Correctly
Don t Write User Files to Program Files
Don t Write User Data to HKLM
Don t Open Objects for FULL_CONTROL or ALL_ACCESS
Object Creation Mistakes
Creating Temporary Files Securely
Client-Side Security Is an Oxymoron
Samples Are Templates
Dogfood Your Stuff
You Owe It to Your Users If...
Determining Access Based on an Administrator SID
Allow Long Passwords
Appendix A
Appendix B
Appendix C
Appendix D
A Final Thought
Annotated Bibliography
Michael Howard
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors:
Michael Howard
,
David LeBlanc
BUY ON AMAZON
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Understanding Intrusion Detection
Crash Course in the Internet Protocol Suite
IDS and IPS Architecture
NFR Security
The Future of Intrusion Detection and Prevention
Mastering Delphi 7
Reporting with Rave
Web Programming with IntraWeb
Appendix A Extra Delphi Tools by the Author
Appendix B Extra Delphi Tools from Other Sources
Appendix C Free Companion Books on Delphi
Information Dashboard Design: The Effective Visual Communication of Data
Displaying Excessive Detail or Precision
Misusing or Overusing Color
Visually Encoding Data for Rapid Perception
Applying the Principles of Visual Perception to Dashboard Design
Make the Viewing Experience Aesthetically Pleasing
Web Systems Design and Online Consumer Behavior
Chapter IV How Consumers Think About Interactive Aspects of Web Advertising
Chapter VII Objective and Perceived Complexity and Their Impacts on Internet Communication
Chapter VIII Personalization Systems and Their Deployment as Web Site Interface Design Decisions
Chapter X Converting Browsers to Buyers: Key Considerations in Designing Business-to-Consumer Web Sites
Chapter XIII Shopping Agent Web Sites: A Comparative Shopping Environment
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
What Is SQL*Plus?
Line Editing
Saving Your Work
Executing a Script
Indexes
Digital Character Animation 3 (No. 3)
Hierarchies and Character Animation
Conclusion
Transitions
Four-Legged Mammals
Acting Technique
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies