Secure coding: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 18:12, 1 February 2022 edit 106.215.85.84 (talk) No edit summary ← Previous edit		Latest revision as of 17:30, 1 September 2024 edit undo Liz (talk \| contribs) Autopatrolled, Checkusers, Oversighters, Administrators 843,503 edits Removing link(s) to "Secure by default": Removing links to deleted page Secure by default. Tag: Twinkle
(15 intermediate revisions by 10 users not shown)
Line 1: {{Short description\|~~Computer~~Software ~~software~~development methodology}} {{Multiple issues\| {{More citations needed\|date=September 2017}} Line 5: }} '''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite ~~journal~~book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|~~date~~title=~~2006-09-22~~Proceedings of the 3rd annual conference on Information security curriculum development \|~~title~~chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053~~\|journal=Proceedings of the 3rd Annual Conference on Information Security Curriculum Development~~\|series=InfoSecCD '06\|___location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>▼ {{Computer security}}▼ Some scholars have suggested that in order to effectively confront threats related to [[Computer security\|cybersecurity]], proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883 \|journal=Information Systems Security\|id={{ProQuest\|229507883}} }}</ref> ▲'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite journal\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|date=2006-09-22\|title=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum\|url=https://doi.org/10.1145/1231047.1231053\|journal=Proceedings of the 3rd Annual Conference on Information Security Curriculum Development\|series=InfoSecCD '06\|___location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref> == Buffer-overflow prevention == Line 24: // copy a maximum of BUF_SIZE bytes strncpy(dst, user_input, BUF_SIZE); // set the last character in the buffer to NUL. dst[BUF_SIZE -1] = '\0'; } </syntaxhighlight>Another secure alternative is to dynamically allocate memory on the heap using [[malloc]].<syntaxhighlight lang="c++"> Line 36 ⟶ 38: return dst; } </syntaxhighlight>In the above code snippet, the program attempts to copy the contents of '''''src''''' into '''''dst,''''', while also checking the return value of malloc to ensure that enough memory was able to be allocated for the destination buffer. == Format-string attack prevention == Line 45 ⟶ 47: printf(malicious_input); } </syntaxhighlight>A malicious argument passed to the program could be “"%s%s%s%s%s%s%s”s", which can crash the program from improper memory reads. == Integer-overflow prevention == Line 77 ⟶ 79: == See also == * [[Application security\|Application Security]] * [[Defensive programming]] * [[Security bug]] * Secure by default == Notes == Line 86 ⟶ 90: * {{Cite book\| last = Taylor \| first = Art \|author2=Brian Buege \|author3=Randy Layman \| title = Hacking Exposed J2EE & Java \| year = 2006 \| publisher = McGraw-Hill Primis \| pages = 426 \| isbn = 0-390-59975-1 }} ▲{{Computer security}} {{DEFAULTSORT:Secure Coding}} [[Category:Computer security]]