SANS InfoSec Reading Room - Securing Code

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

ForeScout_NAC

Featuring 23 papers as of Jun 20, 2013
PDF Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
By: Erik Couture (posted on June 14, 2013)
An ever-increasing number of high profile data breaches have plagued organizations over the past decade.
PDF Which Disney© Princess are YOU?
By: Joshua Brower (posted on March 18, 2010)
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
PDF Secure Authentication on the Internet
By: Roger Meyer (posted on February 1, 2008)
PDF Software Engineering - Security as a Process in the SDLC
By: Nithin Haridas (posted on August 7, 2007)
PDF How to Avoid Information Disclosure when Managing Windows with WMI
By: Alex Timkov (posted on July 17, 2007)
This paper provides an introduction to accessing Windows via WMI in a secure manner.
PDF Threat Modeling: A Process To Ensure Application Security
By: Steven Burns (posted on October 5, 2005)
Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.
PDF A Proactive Approach Toinformation Security
By: Sandeep Gupta (posted on July 24, 2004)
Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.
PDF Defeating Overflow Attacks
By: Jason Deckard (posted on June 9, 2004)
Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.
PDF A Security Checklist for Web Application Design
By: Gail Bayse (posted on May 2, 2004)
Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.
PDF A Tour of TOCTTOUs
By: Craig Lowery (posted on October 31, 2003)
This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.
PDF Insecurity of Inputs to CGI Program
By: Suhairi Mohd Jawi (posted on October 31, 2003)
This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.
PDF The Security Challenges of Offshore Development
By: Rob Ramer (posted on October 31, 2003)
This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.
PDF Improving Software Security During Development
By: Robert W. Usher (posted on October 31, 2003)
This paper will explore the basis for creating secure software and systems during development.
PDF Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention
By: Mark E. Donaldson (posted on October 31, 2003)
The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".
PDF Security Techniques for Mobile Code
By: Nathan Macrides (posted on October 31, 2003)
This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.
PDF Securely Programming in C
By: Sayed Jamil Ahmed (posted on October 31, 2003)
This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.
PDF Secure Software Development and Code Analysis Tools
By: Thien La (posted on October 31, 2003)
The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.
PDF Designing Secure Solutions with .NET
By: Bill Ferreira (posted on October 31, 2003)
Writing secure code and knowing how the environment impacts security is important to designing secure software.
PDF XML Web Services Security and Web based Application Security
By: Chris Kwabi (posted on October 31, 2003)
This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.
PDF A Web Developer's Guide to Cross-Site Scripting
By: Steven Cook (posted on October 31, 2003)
This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.
PDF Web Application Security - Layers of Protection
By: William Fredholm (posted on February 10, 2003)
This paper reviews some of the large number of resources available for creating secure Web applications.
PDF The Intrinsic Hole In Information Security
By: Douglas Gaer (posted on August 15, 2002)
The lack of type safety in the C program crates a massive hole in information security.
PDF SQL Injection: Modes of Attack, Defence, and Why It Matters
By: Stuart McDonald (posted on July 18, 2002)
A look at some of the methods available to a SQL injection attacker and how they are best defended against
SANS Reading Room

There's nothing that compares to the detail and real world content in this course.
-John Daskal, Johns Hopkins University Applied Physics Laboratory

Network Security 2013 - Las Vegas

Latest Whitepapers

Web Application Injection Vulnerabilities: A Web App&#039;s Security Nemesis?
By Erik Couture

Electronic Medical Records: Success Requires an Information Security Culture
By Thomas Roberts

Analyzing Polycom&reg; Video Conference Traffic
By Chris Cain

Latest Tweets

#windowssecurity "Windows Security Course: Las Vegas in Sept [...]
June 7, 2013 - 5:47 AM

New Blog Post: Windows Memory Analysis In-Depth - Discount C [...]
June 7, 2013 - 12:37 AM

Save $500 through 6/12 on important cybersecurity courses at [...]
June 6, 2013 - 10:05 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage