Wrap-up & Resources

Obviously, there's a lot of different kinds of data to check. But where does this data get into your program? The answer is from a surprising number of places; in fact, your program may be getting data from an attacker in ways you weren't prepared for. I'll discuss this in my next installment.

• Read David's first installment in the Secure programmer series, "Developing secure programs."
  
  
• David's book Secure Programming for Linux and Unix HOWTO (Wheeler, 2003) gives a detailed account on how to develop secure software.
  
  
• CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library describes the MIDI library vulnerability and has links to more details.
  
  
• Jeffrey Friedl's Mastering Regular Expressions (O'Reilly & Associates, 1997) is a good book on how to create regular expressions.
  
  
• [RHSA-2000:057-04] glibc vulnerabilities in ld.so, locale and gettext describes how a local user could raise their privileges by exploiting an error in checking the locale.
  
  
• Matt Bishop's How Attackers Break Programs, and How To Write Programs More Securely is a set of slides from SANS 2002 on how to write secure programs; slides 64-66 discuss the integer overflow exploit in Sendmail.
  
  
• John Viega and Matt Messier's Secure Programming Cookbook (O'Reilly & Associates, 2003) has lots of code fragments that can be useful for validating data.
  
  
• IETF Request for Comment (RFC) 2965, HTTP State Management Mechanism by Kristol and Montulli, discusses some of the security issues with Web cookies.
  
  
• "Practical Linux security" outlines a several ways to keep user accounts safe.
  
  
• Software security principles" discusses the most important things to keep in mind when designing and building secure systems.
  
  
• "Building secure software" is a two-part series that focuses on selecting the technologies that help you create secure code. Part 1 covers choices in programming languages and distributed object platforms, and Part 2 covers operating systems and authentication technologies.
  
  
• For information on what IBM is doing in the are of security, visit the IBM Research Security group home page.
  
  
• "Secure Internet applications on the AS/400 system" gives an overview of SSL and covers those OS/400 applications that use SSL.
  
  
• The IBM Linux Technology Center supports a number of security-related projects on Linux, including Linux Security Modules, the GCC extension for protecting applications from stack-smashing attacks, and more.
  
  
• "Enterprise Security for Linux" is a white paper offering a technical discussion of IBM Tivoli Access Manager for Linux. You'll find more Tivoli information on developerWorks'Tivoli Developer Domain.
  
  
• You'll find more Linux articles in the developerWorks Linux zone.