LOGIN | REGISTER NOW | SUBSCRIBE
 
print Printable version 
Most Read Latest News Blog Resources
CouchDB brings peer-based data replication
This NoSQL database is now production ready for developers who want to spread data out wit...
Experts: UML is active, but the buzz is lost
Since widespread acceptance, there is little enthusiasm around the language even ahead of ...
Compuware intros new GUI for mainframe tools
Beyond the GUI are plug-ins for data and debugging tools, as well as an OEM edition of Sli...
Black Hat conference fields suggestions for software security
Attendees give a wide variety of ideas about the subject, with Rex Black adding in some of...
Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter


            iphoneapp GET THE APP!

A Taxonomy of Coding Errors


By Allen Holub
June 1, 2006 —  (Page 1 of 3)
Programmers have the wrong idea about security. All too often, they see security as something that’s external to the program—something to do with firewalls and routers and viruses and trojans. In fact, almost all of the real security “exploits”—the ones that bring down not just Web sites but whole corporate networks, the ones that let hackers harvest sensitive client information from your database—come from exploiting bugs in your software.

Put another way, the only way for a system to really be secure is to build it to be secure, and to test it thoroughly with security in mind. The most secure

systems are the ones that are just plain built well: well thought out, well programmed, well tested. If you’re careful about both the software you’re building and the way you build it, the system will be inherently secure.

Unfortunately, most of the programs that are written nowadays are not exactly well done. The security problem is particularly nasty in the world of Web services, which are designed from the ground up to circumvent firewalls. This is what happens when you approach security in a wrongheaded way. “Oh, no,” says the IT security cop. “You can’t put a hole in my firewall for your paltry application!” “No problem,” says the wily programmer. “I’ll just tunnel everything through port 80.”

A Web service is really nothing but a way to make a function call directly into your application server right through the firewall, and I can guarantee that many of the functions called in this way will have exploitable bugs that can bring down your server, or worse. There are a bunch of standards out there attempting to address the access problem, but none of these standards protects you from bug-induced security holes.

AJAX provides another hole you can drive a truck through. The HTTP communication between an AJAX Web client and server is effectively a set of function calls wrapped in XML (or not). These AJAX calls have effectively no security infrastructure around them, so a hacker who’s pretending to be the Web page that you served has carte blanch to wreak havoc. The average hacker is not going to be nearly as polite with your AJAX infrastructure as the pages that you wrote.


Pages 1 2 3 


Share this link: http://www.sdtimes.com/link/29344
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading



 
 
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 8/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Like Ruby n' Rails
Programming languages and Web frameworks go together like peas n carrots. Or Ruby n' Rails.
07/30/2010 04:36 PM EST

Adobe buys a Web-based IDE
Adobe looks to buy a rapid and agile Web development environment.
07/28/2010 03:49 PM EST

OpenStack opens up
OpenStack looks to be an intriguing new idea for running clouds.
07/28/2010 01:56 PM EST

 

Events calendar tab
SHARE
8/1/2010 to 8/5/2010
Boston
SHARE

VSLive
8/2/2010 to 8/6/2010
Redmond, Wash.
1105 Media

Agile 2010
8/9/2010 to 8/13/2010
Orlando
Agile Alliance

Delphi Live
8/23/2010 to 8/26/2010
San Jose
S&S Media

VMworld
8/30/2010 to 9/2/2010
San Francisco
VMware