Secure programmer: Validating input
Wrap-up & Resources
Obviously, there's a lot of different kinds of data to check. But where does this data get into your program? The answer is from a surprising number of places; in fact, your program may be getting data from an attacker in ways you weren't prepared for. I'll discuss this in my next installment.
- Read David's first installment in the Secure programmer series, "Developing secure programs."
- David's book Secure Programming for Linux and Unix HOWTO (Wheeler, 2003) gives a detailed account on how to develop secure software.
- CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library describes the MIDI library vulnerability and has links to more details.
- Jeffrey Friedl's Mastering Regular Expressions (O'Reilly & Associates, 1997) is a good book on how to create regular expressions.
- [RHSA-2000:057-04] glibc vulnerabilities in ld.so, locale and gettext describes how a local user could raise their privileges by exploiting an error in checking the locale.
- Matt Bishop's How Attackers Break Programs, and How To Write Programs More Securely
is a set of slides from SANS 2002 on how to write secure programs;
slides 64-66 discuss the integer overflow exploit in Sendmail.
- John Viega and Matt Messier's Secure Programming Cookbook (O'Reilly & Associates, 2003) has lots of code fragments that can be useful for validating data.
- IETF Request for Comment (RFC) 2965, HTTP State Management Mechanism by Kristol and Montulli, discusses some of the security issues with Web cookies.
- "Practical Linux security" outlines a several ways to keep user accounts safe.
- Software security principles" discusses the most important things to keep in mind when designing and building secure systems.
- "Building secure software" is a two-part series that focuses on selecting the technologies that help you create secure code. Part 1 covers choices in programming languages and distributed object platforms, and Part 2 covers operating systems and authentication technologies.
- For information on what IBM is doing in the are of security, visit the IBM Research Security group home page.
- "Secure Internet applications on the AS/400 system" gives an overview of SSL and covers those OS/400 applications that use SSL.
- The IBM Linux Technology Center supports a number of security-related projects on Linux, including Linux Security Modules, the GCC extension for protecting applications from stack-smashing attacks, and more.
- "Enterprise Security for Linux"
is a white paper offering a technical discussion of IBM Tivoli Access
Manager for Linux. You'll find more Tivoli information on developerWorks'Tivoli Developer Domain.
- You'll find more Linux articles in the developerWorks Linux zone.
|About the author|
View Secure programmer: Validating input DiscussionPage: 1 2 3 4 5 Next Page: Best practices for accepting user data
First published by IBM developerWorks