WebApp Sec mailing list archives
RE: Secure Coding? Bah!
From: Tim Greer <chatmaster () charter net>
Date: 23 Jan 2004 08:25:23 -0800
On Thu, 2004-01-22 at 22:55, Taco Fleur wrote:
Any application that depends on something that is not written by the developer itself, i.e. objects, dlls, the parsing engine cannot be 100% secure.
Yes, that can be true. However, I don't personally use other people's code when I make the claim that something can be 100% secure. After all, how could I, short of reviewing all the code in the component used, and ensure it's not changed and it suits the needs of the application without posing a risk. However, and I'm not saying it's a bad thing to use other libs / code, I'm not talking about that and guaranteeing other people's code.
I am assuming we are talking about application that are dynamic and not plain static HTML,
Well, with sanity checks and filtering and how you accept the input, with all the proper checks (the point of the discussion and secure coding), how you manage memory and so much more, dynamic applications aren't anymore of a risk than one with static output that had the output hardcoded. It all depends on the skills of the developer and if they really know what the application should do and how they control it.
therefore they always rely on something,
Well, that depends, but that can be true, as I said--it just depends on how you look at it. Is it a daemon you coded yourself, or does it use a web service. If so, what interface it uses and how safe that web server component or interface, as well as the protocol is. Sure. And, if a daemon, what about any issues with the kernel and so on. So, yes, it's possible, though the more you don't rely on other people / software, the more secure your application is and the more confident you can be about knowing it's safe (assuming you do know what you're doing well enough and have indeed covered all the risks).
the code can be good and secure, but is the parsing engine free of bugs and exploits, is the db secure, can the dll be exploited etc. etc.
Yes, and that all depends, so we can't assume that's a potential case for all applications, though (as I said myself and agree) it is common to affect even a secure application that was coded well. Hopefully most of these things you can deal with, but if there's an issue with a parsing engine, database, or you use (for example) functions from modules / libs that might not do proper checking or have bigger issues, it can indeed affect the code.
That's what I reckon anyway, if you see it differently, by all means let me know about it.
Assuming you don't rely on any components and you create and use only your own code, your application can indeed be secure. As I said myself, other factors can pose risks, and I'm not encouraging people to go reinvent the wheel for every application they create, but it also isn't impossible by any means. -- Tim Greer <chatmaster () charter net>
Current thread:
- Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Patrick Chavez (Jan 22)
- Re: Secure Coding? Bah! Juridian (Jan 23)
- Re: Secure Coding? Bah! Juridian (Jan 22)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- <Possible follow-ups>
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)