Consider Adding Security Comments to Code

Previous page
Table of content
Next page

Consider Adding Security Comments to Code

At numerous security code reviews, code owners have responded with blank looks and puzzled comments when I ve asked questions such as, Why was that security decision made? and What assertions do you make about the data at this point? Based on this, it has become obvious that you need to add comments to security-sensitive portions of code. The following is a simple example. Of course, you can use your own style, as long as you are consistent:

// SECURITY! // The following assumes that the user input, in szParam, // has already been parsed and verified by the calling function. HFILE hFile = CreateFile(szParam, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { // Work on file. }

This little comment really helps people realize what security decisions and assertions were made at the time the code was written.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Network Security Architectures
C++ GUI Programming with Qt 3
C & Data Structures (Charles River Media Computer Engineering)
DNS & BIND Cookbook
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy