Tuesday, November 14, 2006

8 Simple Rules For Developing More Secure Code

Michael Howard's piece in the online MSDN magazine is really good.

Writing secure code is one of those things that, I believe at least, very few FoxPro developers think of. In our quest for the ever extensible application framework and product tool set, the more flexible a solution the better it is.

For example, I created a feature in an application called Form Validation - basically it was custom business rules. It could be called at a variety of hooks and "someone", typically the developer or a power user, could write their own rules. Yes, we provided several templates but if there's one thing I've learned, it's that no template ever covers the real world properly. (ok, maybe not the most important thing I've learned, but it's still true).

Now some developers may be cringing right here, thinking "you let people write their own validation code". Well, yes - because this way, we can have a nice custom solution on each customer's end that is specific to their business needs. But back to security....

How secure is that approach? Where do you put your validation code? In a DBF table! Which means that if someone really wanted to screw up your system, and knew their way around a DBF file, they could do it. Here's a validation script: ERASE *.*

or better yet

Ouch! Now you could get hurt big time!

So you put in protection. Check for any strange calls, any code like ERASE or DELETE or ZAP and more.

Of course, the downside of this is that your protection may actually slow down the operation of the code. So do you disable this feature?

I don't have the perfect answer (does anyone ever?) but I do see a lot of FoxPro developers who turn a semi-blind eye to writing secure code. Sure, they put security into their application - but that is NOT the same thing.

Michael's article is a great way of just keeping things in mind as you write code.

1 comment:

Eric Selje said...

Has anyone on the Internet Explorer team at Microsoft read this post?