Flylib.com
Writing Secure Code, Second Edition
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors:
Michael Howard
,
David LeBlanc
BUY ON AMAZON
Cover
LOC Page
Dedication
Foreword
Acknowledgments
Introduction
Who Should Read This Book
Organization of This Book
About the Companion CD
System Requirements
Disclaimer
The Need for Secure Systems
Applications on the Wild Wild Web
Getting Everyone s Head in the Game
Some Ideas for Instilling a Security Culture
Designing Secure Systems
Two Common Security Mistakes
Security Principles to Live By
Security Design by Threat Modeling
Security Techniques
Back to the Example Payroll Application
A Cornucopia of Threats and Solutions
Public Enemy 1: The Buffer Overrun
Static Buffer Overruns
Heap Overruns
Array Indexing Errors
Format String Bugs
Unicode and ANSI Buffer Size Mismatches
Preventing Buffer Overruns
Good News on the Horizon
Determining Good Access Control
Why ACLs Are Important
What Makes Up an ACL?
A Method of Choosing Good ACLs
Creating ACLs
NULL DACLs and Other Dangerous ACE Types
Other Access Control Mechanisms
Running with Least Privilege
Least Privilege in the Real World
Brief Overview of Access Control
Brief Overview of Privileges
Brief Overview of Tokens
How Tokens, Privileges, SIDs, ACLs, and Processes Relate
A Process for Determining Appropriate Privilege
Low-Privilege Service Accounts in Windows XP and Windows .NET Server
Debugging Least-Privilege Issues
Cryptographic Foibles
Using Poor Random Numbers
Using Passwords to Derive Cryptographic Keys
Poor Key Management
Rolling Your Own Cryptographic Functions
Using the Same Stream-Cipher Encryption Key
Bit-Flipping Attacks Against Stream Ciphers
Reusing a Buffer for Plaintext and Ciphertext
Storing Secrets
Attack Methods
Sometimes You Don t Need to Store a Secret
Getting the Secret from the User
Storing Secrets in Windows 2000 and Windows XP
Storing Secrets in Windows NT 4
Storing Secrets in Windows 95, Windows 98, Windows Me, and Windows CE
Raising the Security Bar
An Idea: Using External Devices to Encrypt Secret Data
Canonical Representation Issues
What Does Canonical Mean, and Why Is It a Problem?
A Bit of History
Common Windows Canonicalization Mistakes
Preventing Canonicalization Mistakes
A Final Thought: Non-File-Based Canonicalization Issues
Socket Security
Avoiding Server Hijacking
Choosing Server Interfaces
Accepting Connections
Writing Firewall-Friendly Applications
Spoofing and Host-Based and Port-Based Trust
Securing RPC, ActiveX Controls, and DCOM
An RPC Primer
Secure RPC Best Practices
Secure DCOM Best Practices
An ActiveX Primer
Secure ActiveX Best Practices
Protecting Against Denial of Service Attacks
Application Failure Attacks
CPU Starvation Attacks
Memory Starvation Attacks
Resource Starvation Attacks
Network Bandwidth Attacks
Securing Web-Based Services
Never Trust User Input
Web-Specific Canonicalization Bugs
Other Web-Based Security Topics
Writing Secure .NET Code
Buffer Overruns and the Common Language Runtime
Storing Secrets in .NET
Always Demand Appropriate Permissions
Overzealous Use of Assert
Further Information Regarding Demand and Assert
Don t Be Afraid to Refuse Permissions
Validate Data from Untrusted Sources
Be Thread-Aware in ASP.NET
Disable Tracing and Debugging Before Deploying ASP.NET Applications
Generating Good Random Numbers by Using the .NET Framework
Deserializing Data from Untrusted Sources
Don t Tell the Attacker Too Much When You Fail
SOAP Ponderings
Some Final Thoughts
Testing Secure Applications
The Role of the Security Tester
Security Testing Is Different
Getting Started
Building the Security Test Plan
Testing Clients with Rogue Servers
Should a User See or Modify That Data?
Testing with Security Templates
Test Code Should Be of Great Quality
Test the End-to-End Solution
Slightly Off-Topic: Code Reviews
Secure Software Installation
Principle of Least Privilege
Using the Security Configuration Editor
Low-Level Security APIs
General Good Practices
Protecting Customer Privacy
Don t Tell the Attacker Anything
Double-Check Your Error Paths
Keep It Turned Off
Kernel-Mode Mistakes
Consider Adding Security Comments to Code
Leverage the Operating System
Don t Rely on Users Making Good Decisions
Calling CreateProcess Securely
Don t Create SharedWritable Segments
Using Impersonation Functions Correctly
Don t Write User Files to Program Files
Don t Write User Data to HKLM
Don t Open Objects for FULL_CONTROL or ALL_ACCESS
Object Creation Mistakes
Creating Temporary Files Securely
Client-Side Security Is an Oxymoron
Samples Are Templates
Dogfood Your Stuff
You Owe It to Your Users If...
Determining Access Based on an Administrator SID
Allow Long Passwords
Appendix A
Appendix B
Appendix C
Appendix D
A Final Thought
Annotated Bibliography
Michael Howard
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors:
Michael Howard
,
David LeBlanc
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
The Cleanroom Methodology
Run Charts
Defect Removal Effectiveness and Quality Planning
The Evaluation Phase
Keep It Simple or Face Decomplexification
A+ Fast Pass
Domain 1 Installation, Configuration, and Upgrading
Domain 2 Diagnosing and Troubleshooting
Domain 5 Printers
Domain 1 Operating System Fundamentals
Domain 2 Installation, Configuration, and Upgrading
MySQL Clustering
Startup Phases
Common Errors While Importing Tables
Configuration
Benchmarking
Miscellaneous Commands
Postfix: The Definitive Guide
Starting Postfix the First Time
Local Mail Transfer Protocol
Content-Checking
Customized Restriction Classes
A.1. Postfix Parameter Reference
Cisco Voice Gateways and Gatekeepers
Circuit Options
Dial Peers
Assigning COR Lists with Cisco CallManager Express
SIP SRST
Configuring Gatekeeper Security
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Overview of Captology
Computers as Persuasive Social Actors
Credibility and Computers
Increasing Persuasion through Mobility and Connectivity
Captology Looking Forward
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies