+ 5
How can a beginner make his program secure?
I am writing a little program for my job, that is supposed to sit on the company computer desktop. Nothing spectacular - it doesn't access internet, it doesn't load any data; it just takes some keyboard input and writes it in a text file. Now my question: I don't want to create any liability, but on the other hand have no idea what sort of trouble an evil-doer could pull off, or how. How do I go about making a program safe? Which steps do I need to follow? Are there principles that I should adhere to?
8 Answers
+ 9
"How do I go about making a program safe? Which steps do I need to follow? Are there principles that I should adhere to?"
It's really all about small adjustments to make vulnerable pieces of the codebase get bulletproof. Of course, there are some comprehensive lists of rules (known as SEI CERT Coding Standard) for some popular languages are available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards
+ 6
For C, it's about 534 pages. But I usually prefer to visit the site itself since it gets regularly updated.
+ 4
"Being good at that will probably pay dividends in the long run"
There's no doubt about it, but I'd say that it's not terribly necessary to try and become the security master if your time is tight. As you mentioned the payoff would be "in the long run". For now, All you need to do is just implement what you have in mind and then adjust every module of your program according to the compliant solution.
+ 4
Absolutely, since you're about to start a serious project, it's easier and time saver to make a checklist of some of the rule headings (based on their severity -- Risk Assessment Summary tables) on a paper.
For example: for Rule 02. Expressions (EXP), EXP53-CPP. Do not read uninitialized memory, has the highest priority.
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046335
+ 2
Wow, that's a lot ...
Being good at that will probably pay dividends in the long run. The idea, though, of first having to study a 'phone book' before being able to securely use my 150-line script, though... ^^'
+ 1
Hm, C++ Soldier (Babak), that sounds interesting.
It seems I'd have to order it; how much material is it, do you know?
+ 1
So there's a feasable way to pick what you need from that collection instead of reading and digesting all of it first?
+ 1
Okay, thank you, I'll look into that!