WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH NEWS ON MONDAY SPTECHREPORT SPTECHWEB SPTECHCON IPHONE/IPAD DEVCON ANDROID DEVCON PRIVACY POLICY CONTACT US

HOME >> COLUMNS

A Taxonomy of Coding Errors

By Allen Holub

June 1, 2006 — (Page 1 of 2)
Programmers have the wrong idea about security. All too often, they see security as something that’s external to the program—something to do with firewalls and routers and viruses and trojans. In fact, almost all of the real security “exploits”—the ones that bring down not just Web sites but whole corporate networks, the ones that let hackers harvest sensitive client information from your database—come from exploiting bugs in your software.

Put another way, the only way for a system to really be secure is to build it to be secure, and to test it thoroughly with security in mind. The most secure

systems are the ones that are just plain built well: well thought out, well programmed, well tested. If you’re careful about both the software you’re building and the way you build it, the system will be inherently secure.

Unfortunately, most of the programs that are written nowadays are not exactly well done. The security problem is particularly nasty in the world of Web services, which are designed from the ground up to circumvent firewalls. This is what happens when you approach security in a wrongheaded way. “Oh, no,” says the IT security cop. “You can’t put a hole in my firewall for your paltry application!” “No problem,” says the wily programmer. “I’ll just tunnel everything through port 80.”

A Web service is really nothing but a way to make a function call directly into your application server right through the firewall, and I can guarantee that many of the functions called in this way will have exploitable bugs that can bring down your server, or worse. There are a bunch of standards out there attempting to address the access problem, but none of these standards protects you from bug-induced security holes.

AJAX provides another hole you can drive a truck through. The HTTP communication between an AJAX Web client and server is effectively a set of function calls wrapped in XML (or not). These AJAX calls have effectively no security infrastructure around them, so a hacker who’s pretending to be the Web page that you served has carte blanch to wreak havoc. The average hacker is not going to be nearly as polite with your AJAX infrastructure as the pages that you wrote.

Pages 1 2

Share this link: http://sdt.bz/29344

Most Read Latest News Blog Resources

Jama Contour 3.4 brings shared vision to align development activities with business priorities
New version of Jama’s Web application makes managing complex projects easier

Jama Software integrates Contour with Rally's leading agile lifecycle management platform
Integration aligns product vision and customer needs to daily development activities to empower Agile success an organization

Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans

Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists

Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans

Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists

Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles

Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.

The Hidden Costs of Software Licensing Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...

Case Study: You May Need a Development Mechanic As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...

Ensuring Software Quality at a Major International Bank One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...

Load Testing Adobe Flex Applications Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Stop hard-coding business rules Giving more power to "business developers" can streamline production, though it has its drawbacks

Jinx Provides New Tools for Identifying Concurrency Errors and Gaining Better Insight Jinx Provides New Tools for Identifying Concurrency Errors and Gaining Better Insight Into Parallel Software

Programming 101: It's not just about coding anymore Educators are thinking of bringing real-world experiences into the classroom to better prepare students for the workforce

Add comment

Name*
Email*
Country

Comment

Stop hard-coding business rules
Giving more power to "business developers" can streamline production, though it has its drawbacks Read More...

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
FEBRUARY 2012 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
02/07/2012 11:57 AM EST

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
02/04/2012 01:57 PM EST

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST

Bloomberg opens its API
Bloomberg's APIs could lead to a future standard for accessing market data.
02/01/2012 04:41 PM EST