Reading Room

Securing Code

Featuring 23 Papers as of June 14, 2013

  • Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture - June 14, 2013

    An ever-increasing number of high profile data breaches have plagued organizations over the past decade.

  • Which Disney© Princess are YOU? Joshua Brower - March 18, 2010

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Secure Authentication on the Internet Roger Meyer - February 1, 2008

    This paper covers current Internet authentication mechanisms and possible attacks. It helps the reader to understand todays issues with authentication mechanisms. To understand the attack vectors, one has to know the current attack trends. Authentication systems can be classified according to their resistance against common attacks. Ten different authentication systems will be introduced and classified accordingly.

  • Software Engineering - Security as a Process in the SDLC Nithin Haridas - August 7, 2007

    Most of the Application developers align to the Software Engineering Principles that follow through a standardized SDLC phases, but never consider or have a disciplined process to address the factor called Security in any of the phases. Does authentication and authorization mechanism (like Login and Password) on applications make them secure? Do these security considerations on developed application help them to address security in its entirety? Security attacks at the application layer have made the organizations realize the fact that security needs to be considered at the same priority as its functionality. This paper explains about how Security as a process can be incorporated or identified in the Software Engineering principles1 (SDLC phases) and how Organizations can leverage upon considering Security as an effective process within the existing development framework.

  • How to Avoid Information Disclosure when Managing Windows with WMI Alex Timkov - July 17, 2007

    This paper provides an introduction to accessing Windows via WMI in a secure manner.

  • Threat Modeling: A Process To Ensure Application Security Steven Burns - October 5, 2005

    Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.

  • A Proactive Approach Toinformation Security Sandeep Gupta - July 24, 2004

    Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.

  • Defeating Overflow Attacks Jason Deckard - June 9, 2004

    Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.

  • A Security Checklist for Web Application Design Gail Bayse - May 2, 2004

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.

  • A Tour of TOCTTOUs Craig Lowery - October 31, 2003

    This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.

  • Insecurity of Inputs to CGI Program Suhairi Jawi - October 31, 2003

    This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.

  • The Security Challenges of Offshore Development Rob Ramer - October 31, 2003

    This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.

  • Improving Software Security During Development Robert Usher - October 31, 2003

    This paper will explore the basis for creating secure software and systems during development.

  • Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention Mark Donaldson - October 31, 2003

    The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".

  • Security Techniques for Mobile Code Nathan Macrides - October 31, 2003

    This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.

  • Securely Programming in C Sayed Ahmed - October 31, 2003

    This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.

  • Secure Software Development and Code Analysis Tools Thien La - October 31, 2003

    The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.

  • Designing Secure Solutions with .NET Bill Ferreira - October 31, 2003

    Writing secure code and knowing how the environment impacts security is important to designing secure software.

  • XML Web Services Security and Web based Application Security Chris Kwabi - October 31, 2003

    This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.

  • A Web Developer's Guide to Cross-Site Scripting Steven Cook - October 31, 2003

    This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.

  • Web Application Security - Layers of Protection William Fredholm - February 10, 2003

    This paper reviews some of the large number of resources available for creating secure Web applications.

  • The Intrinsic Hole In Information Security Douglas Gaer - August 15, 2002

    The lack of type safety in the C program crates a massive hole in information security.

  • SQL Injection: Modes of Attack, Defence, and Why It Matters Stuart McDonald - July 18, 2002

    A look at some of the methods available to a SQL injection attacker and how they are best defended against

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.