I see a lot of faults due to the programmer failing to validate user data (or other data).
Failing to validate user data is a huge problem. It’s the root cause of:
And part of Improper File Access, too.
Developers need to design software with the realization that some of their users will be evil, and design accordingly. You can’t trust user input, ever.
Interesting article from Schneier that touches on the usability issues of security:
Of course, it’s more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.
Via Ned Batchelder:
The security announcement site XSSed has an archive of identified XSS vunerabilities, ordered by the traffic the page receives: TOP Pagerank List. The listings include an iframe demonstrating the vulnerability. Very slick. It’s sobering to see how many high-profile sites have problems like this.
SANS identifies the three programming errors most frequently responsible for critical security vulnerabilities:
http://www.sans-ssi.org/top_three.pdf
Accepting input from users without validating and sanitizing the input
Allowing data placed in buffers to exceed the buffer
Handling integers incorrectly
I’m a network and firewall administrator and here’s my complains about application people.
Application people either support a finished software or involved on its development. Whichever, they should understand the importance of security which start from the software development and know their products.
A security problem within the framework immediately affects all software using it (class break).
Sounds like someone needs to re-read Ken Thompson’s “Reflections on Trusting Trust” (http://www.acm.org/classics/sep95/) - C/C++ are in absolutely no sense of the phrase immune to the same class breaks you point out as an Achilles’ Heel when using Java/.Net.
To me, it’s a pretty silly reason to avoid managed frameworks - you’re trading up from a hypothetical risk to a real one while trying to do some mental gymnastics to convince yourself that you’re safer (because you’ve got C Wizards working on it instead of C# Flunkies, maybe?).
Security’s tough and made tougher by the fact that applications sometimes aren’t built with security in mind. You don’t need to subscribe to Bugtraq but bolting security on after the fact sure feels like it’s an order of magnitude more difficult than designing it in to the initial product.
Any insecurities in the OS itself that would affect a C/C++ program will also affect a C# program, plus you have the additional “leaky abstraction” of the .NET Framework.
And as Thompson’s ACM article points out, a compiler’s a leaky abstraction too. I still fail to see how you’re introducing a new class of potential breaks with a managed framework. A security flaw could be discovered in the Java compiler or in gcc or in the Java framework or in static libraries you’re linking against.
It just sucks a bit harder when there’s a .Net security patch because they’re wont to be way bigger files than an updated compiler.
I actually picked this book up a couple months ago for some light night reading. It is really nice the way that they breakdown the Sins.