Download - Secure development of code
SECURE DEVELOPMENT OF CODE
ACC 626 Term Paper
Salome Victor
20316185
July 7 2013
AGENDA
Background
Introduction
Importance of Secure Development of Code
Key Coding Principles
Secure Code Analysis
Conclusion
WHAT IS YOUR MOST IMPORTANT ASSET
THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code the company must
develop with secure coding
practices in mind
WHAT IS SOFTWARE
Software is described as operating systems application programs and
data that is used by products containing microprocessors
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
AGENDA
Background
Introduction
Importance of Secure Development of Code
Key Coding Principles
Secure Code Analysis
Conclusion
WHAT IS YOUR MOST IMPORTANT ASSET
THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code the company must
develop with secure coding
practices in mind
WHAT IS SOFTWARE
Software is described as operating systems application programs and
data that is used by products containing microprocessors
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
WHAT IS YOUR MOST IMPORTANT ASSET
THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code the company must
develop with secure coding
practices in mind
WHAT IS SOFTWARE
Software is described as operating systems application programs and
data that is used by products containing microprocessors
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code the company must
develop with secure coding
practices in mind
WHAT IS SOFTWARE
Software is described as operating systems application programs and
data that is used by products containing microprocessors
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
WHAT IS SOFTWARE
Software is described as operating systems application programs and
data that is used by products containing microprocessors
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
WHAT IS SOURCE CODE
Source code is defined as a version of software written by the developer in plain text (ie human readable alphanumeric characters)
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
WHAT IS PROGRAMMING LANGUAGE
In order to write source code a
programming language must be selected
from a large pool of available
programming languages A few common
programming languages are
JavaScript Python C C++ Visual
Basic and Perl
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
CODE ANALYSIS
KEY CODING PRINCIPLES
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACYCONFIDENTIALITY
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
ECONOMIC IMPACTS
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
COMMON CODING ERRORS
SQL Injection
Buffer Overflow
Race Conditions
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
COMMON CODING ERRORS ndash SQL INJECTION
Intruder can gain unauthorized access to database
Intruder can read and modify data
Integrity confidentiality and privacy compromised
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
COMMON CODING ERRORS ndash BUFFER OVERFLOW
Attacker can crash the program
Attacker can inject his own code
into the program
Availability integrity privacy and
confidentiality compromised
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
COMMON CODING ERRORS ndash RACE CONDITIONS
Attacker can insert malicious code
and interfere with the normal
execution of the program
Attacker can exhaust the
computerrsquos resources
Availability and confidentiality
compromised
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
KEY CODING PRINCIPLES
Least Privilege
Keep it Simple
Validate Input
Practice defense in Depth
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
ldquoNeed-to knowrdquo principle
Access should be restricted
High clearance should be allowed only for a limited time
Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES ndash LEAST PRIVILEGE
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Complex systems have more surface
area for attack
Complexity creates errors
Complexity demands more resources
KEY CODING PRINCIPLES ndash KEEP IT SIMPLE
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Input from external parties can be very dangerous
Every company should have a set of policies on handling input
Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES ndash VALIDATING INPUT
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
A good system should have multiple
layers of security
More layers of security means more
trouble for an attacker
Helps mitigate insecure coding issues
KEY CODING PRINCIPLES ndashDEFENSE IN DEPTH
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Manual Code Review
Penetration Testing
Static Analysis
Dynamic Analysis
SECURE CODE ANALYSIS
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Software designers and programmers examine source code quality
Expensive labor intensive and highly effective
More than 75 of faults are found through this method
SECURE CODE ANALYSIS ndash MANUAL CODE REVIEW
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Overt penetration testing has the pseudo-attacker working with the organization
Covert penetration testing is a simulated attackwithout the knowledge of most of theorganization
Overt testing is effective for finding faults butineffective at testing incident response andattack detection
Covert testing does test the organizations ability to respond to attacks but is very time consuming and costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
It is cost effective and less like real life
Black box testing gives the pseudo-
attacker little to no information
It simulates real life well but is very costly
SECURE CODE ANALYSIS ndash PENETRATION TESTING
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
A tool meant for analyzing the
executable program rather than the
source code
Covers a wide scope not user-
friendly many false positives
SECURE CODE ANALYSIS ndash STATIC ANALYSIS
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
Analyzes the program behavior
while it is running
Precise and valid results
SECURE CODE ANALYSIS ndash DYNAMIC ANALYSIS
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
CONCLUSION
Importance of source code and secure development
Common coding errors
Key coding principles
Secure code analysis
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes
REFERENCES FOR PICTURES
httpavi72livejournalcom3018html
httpwwwcartoonstockcomdirectoryiinvestor_confidence_giftsasp
httpchem-manufacturingcomprogram
httpwwwciscocomenUSdocsapp_ntwk_serviceswaaswaasv421configurationguideotherhtml
httpcomparebuscapecombrwriting-secure-code-second-edition-michael-howard-david-leblanc-0735617228htmlprecos
httpcyrilwangpixnetnetblogpost32220475-5BE68A80E8A193E58886E4BAAB5D-E794A8E4BA86E58F83E695B8E58C96E69FA5E8A9A2E5B0B1E58FAFE4BBA5E5B08D-sql-injecti
httpwwwdanmcinfohigh-availability
httpwwwdreamworldprojectinfouncategorizedtypes-of-computer-software
httpeasysolution4youblogspotca201305insall-turbocpp-onwindows8-fullscreenhtml
httpwwwehackingnewscomsearchlabelReverse20Engineering
httpsenwikipediaorgwikiFileVisualBasicLogogif
httpenwikipediaorgwikiOperation_Aurora
httpes123rfcomphoto_5980477_letras-del-teclado-de-la-computadora-alrededor-de-la-integridad-de-la-palabrahtml
httpevos4rdwordpresscomauthorevos4rdpage2
httpswwwfacebookcompenetretiontestingblogger
httpwwwflickrcomphotoshelloimchloe5620821061
httpwwwflickrcomphotossebastian_bergmann3991540987
httpgeniuscountrycomassets2011i-just-want-to-say-one-word-to-you-data
httpiappsoftscomamrutvahini-institute-of-management-and-business-administrationhtml
httpinfocenterarmcomhelpindexjsptopic=comarmdocdui0414ckRP_code_view_The_disassembly_viewhtml
httpwwwinformitcomstoresecure-coding-in-c-and-c-plus-plus-9780321335722
httpwwwinnovategycomhtmlstrategieworkshophtml
httpwwwisacaorgJournalPast-Issues2008Volume-3PagesJOnline-Role-Engineering-The-Cornerstone-of-RBAC1aspx
httpjavakenai-devcognisyncnetpubatoday20060817code-reviewshtml
httpwwwkinokuniyacojpfdsg-02-9780071626750
httplurkerfaqscomboards8-gamefaqs-contests60380480
httpmadchuckleblogspotca201004just-what-is-python-my-initial-thoughtshtml
httpwwwmaxitcomauportfolio-viewcustom-software-design-architecture-3
httpwwwmindfiresolutionscomperl-developmenthtm
httpwwwmyotherpcisacloudcompage=11
httpwwwphidgetscomdocsLanguage_-_CC++
httprebootblueprintcom7-healthy-no-fap-replacement-habits
httpwwwronpaulforumscomshowthreadphp331019-Supervoter-Bomb-envelope-design-need-input
httprusbasecomnewsauthoreditormorgan-stanley-predicts-e-commerce-growth-russia
httpwwwsecurecodingorg
httpwwwselectinternetcoukhtmlbackuphtml
httpseravofi2013javascript-the-winning-style
httpstaffustceducn~bjhuacoursessecurity2012labslab2indexhtml
httpsoftbukarusoftscreens-IDA-Prohtml
httpwwwsoftwaresecuritysolutionscomlayered-securityhtml
httpthwartedeffortsorg20061111race-conditions-with-ajax-and-php-sessions
httpturbotoddwordpresscom201303
httpwwwwebpronewscomwere-googlers-involved-in-chinese-cyber-attack-2010-01
httpxkcdcom327
httpzheronelitwordpresscomcategoryc-source-codes