News

  • Home > News

        Expert tips for finding security defects in your code

        Staff | Date: Oct 29, 2003 | Comments: 1


        This article at Microsoft's MSDN developer website provides expert tips for finding security defects in your code. The article is written by Michael Howard, a senior program manager and founding member of Microsoft's Secure Windows Initiative group, and a coauthor of Writing Secure Code (Microsoft Press, 2002).

        Quoting from the article's introduction . . .

        "Reviewing code for security defects is a key ingredient in the software creation process, ranking alongside planning, design, and testing. Here the author reflects over his years of code security reviews to identify patterns and best practices that all developers can follow when tracking down potential security loopholes. The process begins by examining the environment the code runs in, considering the roles of the users who will run it, and studying the history of any security issues the code may have had. After gaining an understanding of these background issues, specific vulnerabilities can be hunted down, including SQL injection attacks, cross-site scripting, and buffer overruns. In addition, certain red flags, such as variable names like 'password', 'secret', and other obvious but common security blunders, can be searched for and remedied."

        Read full story