16 Şubat 2011 Çarşamba
Paranoid Security Tips
Well, the very built-in password boxes in application development of any kind reveals the password length so should be avoided. It is really a security vs. usability issue; thanks to something I don’t know; we are not that paranoid and we favor usability on this one!
14 Şubat 2011 Pazartesi
Episode.00 Be careful what you assume..
Assumptions is one of the main sections when writing a Security Target for a product in Common Criteria evaluation; a life-saving section indeed, otherwise none of the products would be certificated since you, the developer(yes, I am not), cannot control every single detail in a product’s running environment. This is when assumptions come in handy; do the assumption, get rid of handling the error, exception, threat whatever you are trying to handle. Moreover, if you literally assume that everything is going to be all right; that’s it! You don’t have to implement any more functions to make your product more secure, since everything is “literally” under control!
Unfortunately that is generally not what happens in real life, where there is always an Eve trying to harm either Alice or Bob or even both. In reality, regardless of us being 100% aware or not, assumptions takes great place in the development environment from “user inputs 6-digit password” to “unsigned int would be more than enough”; which are assumed for real audience of the product behaving in manners!
Taking under control of everything (possible) would be much more comforting than assuming something is (never) going to happen. Because it will; sooner or later; someone, malicious or not, will find a way to abuse the product and consequences could be devastating compared to cost it takes to actually control the case in the first place.
Long story short, aim of this post is to stress, as many of its successors will be, do not make any assumptions, if you can take things under control. “Beware of assumptions! Whatever you assume to be possible or impossible will have a tendency to become real for you!”
--
This post is supposed to be pilot of a new-old series called “Secure Coding Strikes Back!” aired here every week with season premiere “Who smashed my stack?” coming up next!
Unfortunately that is generally not what happens in real life, where there is always an Eve trying to harm either Alice or Bob or even both. In reality, regardless of us being 100% aware or not, assumptions takes great place in the development environment from “user inputs 6-digit password” to “unsigned int would be more than enough”; which are assumed for real audience of the product behaving in manners!
Taking under control of everything (possible) would be much more comforting than assuming something is (never) going to happen. Because it will; sooner or later; someone, malicious or not, will find a way to abuse the product and consequences could be devastating compared to cost it takes to actually control the case in the first place.
Long story short, aim of this post is to stress, as many of its successors will be, do not make any assumptions, if you can take things under control. “Beware of assumptions! Whatever you assume to be possible or impossible will have a tendency to become real for you!”
--
This post is supposed to be pilot of a new-old series called “Secure Coding Strikes Back!” aired here every week with season premiere “Who smashed my stack?” coming up next!
Kaydol:
Kayıtlar (Atom)