SANS InfoSec Reading Room - Securing Code

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 21 papers as of Nov 21, 2009

Secure Authentication on the Internet

By: Roger Meyer (posted on February 1, 2008)

Software Engineering – Security as a Process in the SDLC

By: Nithin Haridas (posted on August 7, 2007)

How to Avoid Information Disclosure when Managing Windows with WMI

By: Alex Timkov (posted on July 17, 2007)

This paper provides an introduction to accessing Windows via WMI in a secure manner.

Threat Modeling: A Process To Ensure Application Security

By: Steven Burns (posted on October 5, 2005)

Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.

A Proactive Approach Toinformation Security

By: Sandeep Gupta (posted on July 24, 2004)

Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.

Defeating Overflow Attacks

By: Jason Deckard (posted on June 9, 2004)

Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.

A Security Checklist for Web Application Design

By: Gail Bayse (posted on May 2, 2004)

Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.

A Tour of TOCTTOUs

By: Craig Lowery (posted on October 31, 2003)

This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.

Insecurity of Inputs to CGI Program

By: Suhairi Mohd Jawi (posted on October 31, 2003)

This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.

The Security Challenges of Offshore Development

By: Rob Ramer (posted on October 31, 2003)

This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.

Improving Software Security During Development

By: Robert W. Usher (posted on October 31, 2003)

This paper will explore the basis for creating secure software and systems during development.

Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention

By: Mark E. Donaldson (posted on October 31, 2003)

The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".

Security Techniques for Mobile Code

By: Nathan Macrides (posted on October 31, 2003)

This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.

Securely Programming in C

By: Sayed Jamil Ahmed (posted on October 31, 2003)

This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.

Secure Software Development and Code Analysis Tools

By: Thien La (posted on October 31, 2003)

The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.

Designing Secure Solutions with .NET

By: Bill Ferreira (posted on October 31, 2003)

Writing secure code and knowing how the environment impacts security is important to designing secure software.

XML Web Services Security and Web based Application Security

By: Chris Kwabi (posted on October 31, 2003)

This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.

A Web Developer's Guide to Cross-Site Scripting

By: Steven Cook (posted on October 31, 2003)

This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.

Web Application Security - Layers of Protection

By: William Fredholm (posted on February 10, 2003)

This paper reviews some of the large number of resources available for creating secure Web applications.

The Intrinsic Hole In Information Security

By: Douglas Gaer (posted on August 15, 2002)

The lack of type safety in the C program crates a massive hole in information security.

SQL Injection: Modes of Attack, Defence, and Why It Matters

By: Stuart McDonald (posted on July 18, 2002)

A look at some of the methods available to a SQL injection attacker and how they are best defended against