Skip to main content

8 Simple Rules For Developing More Secure Code

Michael Howard's piece in the online MSDN magazine is really good.

Writing secure code is one of those things that, I believe at least, very few FoxPro developers think of. In our quest for the ever extensible application framework and product tool set, the more flexible a solution the better it is.

For example, I created a feature in an application called Form Validation - basically it was custom business rules. It could be called at a variety of hooks and "someone", typically the developer or a power user, could write their own rules. Yes, we provided several templates but if there's one thing I've learned, it's that no template ever covers the real world properly. (ok, maybe not the most important thing I've learned, but it's still true).

Now some developers may be cringing right here, thinking "you let people write their own validation code". Well, yes - because this way, we can have a nice custom solution on each customer's end that is specific to their business needs. But back to security....

How secure is that approach? Where do you put your validation code? In a DBF table! Which means that if someone really wanted to screw up your system, and knew their way around a DBF file, they could do it. Here's a validation script: ERASE *.*

or better yet
DELETE FROM CUSTOMERS

Ouch! Now you could get hurt big time!

So you put in protection. Check for any strange calls, any code like ERASE or DELETE or ZAP and more.

Of course, the downside of this is that your protection may actually slow down the operation of the code. So do you disable this feature?

I don't have the perfect answer (does anyone ever?) but I do see a lot of FoxPro developers who turn a semi-blind eye to writing secure code. Sure, they put security into their application - but that is NOT the same thing.

Michael's article is a great way of just keeping things in mind as you write code.

Comments

Popular posts from this blog

Elevating Project Specifications with Three Insightful ChatGPT Prompts

For developers and testers, ChatGPT, the freely accessible tool from OpenAI, is game-changing. If you want to learn a new programming language, ask for samples or have it convert your existing code. This can be done in Visual Studio Code (using GitHub CoPilot) or directly in the ChatGPT app or web site.  If you’re a tester, ChatGPT can write a test spec or actual test code (if you use Jest or Cypress) based on existing code, copied and pasted into the input area. But ChatGPT can be of huge value for analysts (whether system or business) who need to validate their needs. There’s often a disconnect between developers and analysts. Analysts complain that developers don’t build what they asked for or ask too many questions. Developers complain that analysts haven’t thought of obvious things. In these situations, ChatGPT can be a great intermediary. At its worst, it forces you to think about and then discount obvious issues. At best, it clarifies the needs into documented requirements. ...

Respect

Respect is something humans give to each other through personal connection. It’s the bond that forms when we recognize something—or someone—as significant, relatable, or worthy of care. This connection doesn’t have to be limited to people. There was an  article  recently that described the differing attitudes towards AI tools such as ChatGPT and Google Gemini (formerly Bard). Some people treat them like a standard search while others form a sort of personal relationship — being courteous, saying “please” and “thank you”. Occasionally, people share extra details unrelated to their question, like, ‘I’m going to a wedding. What flower goes well with a tuxedo?’ Does an AI “care” how you respond to it? Of course not — it reflects the patterns it’s trained on. Yet our interaction shapes how these tools evolve, and that influence is something we should take seriously. Most of us have all expressed frustration when an AI “hallucinates”. Real or not, the larger issue is that we have hi...

Friend vs Therapist vs LLM: Shades of Grey

The conversations with AI series brings up a single point and then compares it between different LLM engines. These types of conversations were one of the many contributing factors to my writing of " Towards Consciousness " that explores the benefits and issues of creating a conscious AI. In this scenario, I was interested in seeing how an LLM might differ from a friend or therapist on issues that may have nuanced responses or contexts. In doing so, I came up with an interesting discussion on shades of grey. My Premise: Is it a bit strange to be using an LLM as a sober second thought? Every time I walk down this path of “why use an LLM to do certain things”, I come back to the alternatives that people like to say. “Why not bring it up with a friend?” A friend typically has your back or will say whatever to support their own agenda. “A therapist?” That’s someone who is “trained” to be impartial. But a computer? A computer is impartial based on two logical outcomes. If you say ...