Secure Programming

  • Comments posted to this topic are about the item Secure Programming

  • What I find most interesting about the NSA'a list is that the #3 worst practice on their list is specific to SQL: SQL Injection vulnerability.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.

    Avoiding injection on stored procedure

    http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx

  • Michael Valentine Jones (3/18/2009)


    It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.

    Avoiding injection on stored procedure

    http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx

    I've put a suggestion at http://www.sqlservercentral.com/Forums/Topic678702-8-2.aspx for that one.

    There is no problem so great that it can not be solved by caffeine and chocolate.
  • Is it me, or did they miss "Check for NULL"?

    There is no problem so great that it can not be solved by caffeine and chocolate.
  • Well, I've just added that list to my browser favourites. It's an excellent resource.

    I'm a DBA who, at various points, has had to branch out and learn sufficient about various development platforms to achieve certain business requirements. It's easy enough when learning something new to find out what can/can't be done, but it's actually very difficult to find out what should/shouldn't be done. If you simply use your common sense, you don't know enough about the new environment to identify the risks. If you ask for recommendations from a community (such as this), you'll get chapter and verse, and you'll have problems sifting out the important nuggets.

    Therefore, I'll be using that list as a benchmark for any of my applications, and thanks for pointing it out.

    Semper in excretia, suus solum profundum variat

  • In my experience it's fairly difficult to squeeze any sort of good coding practice out of most developers. They have deadlines, code quality be damned.

    As Steve pointed out Security and error handling are significant culprits, but there are others that are less visible, and i think perhaps more common: poor/lack of naming conventions, spaghetti code, useless/missing comments, orphaned functions, etc.

    I can't think what else might belong on that list but i'm sure there's something.

    We can hope that the NSA list will be used as a benchmark for adequately secure code, but the chances of it being used widely are, i think, quite small.

  • Let's go back to the overused analogy of building a house. If you tell a carpenter to build a house that can't be broken into or that is impervious to fire, that carpenter is going to look at you like you are a fool. However, with the help of some specialized subcontractors, namely someone who installs security systems and fire alarms, that person can give you some insulation to the problems of breaking in and fire. They aren't full proof solutions, but they make it tougher on the burglar.

    As a programmer or DBA, we can't be expected to be experts in everything. Yes we can use some security best practices, but we also need the help of specialists that focus on security issues in whatever environment we are working in. We also need more standards to help guide us. This would be similar to the Building Codes carpenters and general contractors have to use.

  • You've heard the old saw "drive defensively". Well code defensively.

    • Assume that all data is CRAP
    • Assume that all code is broken. Especially if you wrote it.
    • I don't give a hang what DRI is in place you can still have orphans and invalid data in tables.
    • "That can't happen." is most often heard right after it just did.
    • Code, reports, etc. that work just fine in the shop can and will drop dead upon deployment.
    • Managed code is managed but not perfect.
    • Even Micro$oft has bugs.

    One of my customers switched to a large famous ERP system. The new system had been tested for months. What brought it down on the first day live? Someone posted a memo stating that all users should log on at precisely 10 AM Eastern. :w00t: Jammed the logon queues and, a couple of minutes later, the phone system. Perfectly working software. Killed by several thousand people all watching the clock tick down and hitting the button together.

    ATBCharles Kincaid

  • Charles, that's a good list. I need to keep that one around.

  • Constants aren't and variables do...

    There is no problem so great that it can not be solved by caffeine and chocolate.
  • Too many web developers I have met do not understand even half of the items in the top 25 list...

    And if they don't get it, management certainly does not within those same organizations.

  • Ian Brown (3/19/2009)


    Constants aren't and variables do...

    What language is it where

    1 = 2

    is supported?

    ATBCharles Kincaid

  • Charles Kincaid (3/19/2009)


    Ian Brown (3/19/2009)


    Constants aren't and variables do...

    What language is it where

    1 = 2

    is supported?

    I've forgotten enough COBOL that I can't recall if it worked there, but I'm pretty sure that's true and easy to explain in Perl (for small values of easy).

  • Charles Kincaid (3/19/2009)


    Ian Brown (3/19/2009)


    Constants aren't and variables do...

    What language is it where

    1 = 2

    is supported?

    The issue isn't whether it's supported in some language, the issue is whether it happens in that language.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

Viewing 15 posts - 1 through 15 (of 27 total)

You must be logged in to reply to this topic. Login to reply