Get a MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training - Learn More

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Securing Code

Featuring 33 Papers as of April 16, 2021

  • Risk Management with Automated Feature Analysis of Software Components Graduate Student Research
    by Steven Launius - August 27, 2020 

    Organizations developing software need pragmatic risk management practices to prevent malicious code from contaminating their software. Traditional security tools for Static Code Analysis identify vulnerabilities, not the presence of backdoors exhibiting unintended actions. Application Inspector is a Microsoft tool released to the open source community that identifies risky features and characteristics of source code libraries. This research will evaluate the accuracy of feature detection in the Application Inspector tool and construct a risk model for automating decisions based on feature analysis of source code.

  • Defending Infrastructure as Code in GitHub Enterprise Graduate Student Research
    by Dane Stuckey - January 21, 2020 

    As infrastructure workloads have changed, cloud workflows have been adopted, and elastic provisioning and de-provisioning have become standard, manual processes. As a result, semi-automated infrastructure management workflows have proven insufficient. One of the most widely implemented solutions to these problems has been the adoption of declarative infrastructure as code, a philosophy and set of tools which use machine-readable files that declare the desired state of infrastructure. Unfortunately, infrastructure as code has introduced new attack surfaces and techniques that traditional network defense controls may not adequately cover or account for. This paper examines a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.

  • Changing the DevOps Culture One Security Scan at a Time Graduate Student Research
    by Jon-Michael Lacek - August 28, 2019 

    Information Security has always been considered a roadblock when it comes to project management and execution. This mentality is even further solidified when discussing Information Security from a DevOps perspective. A fundamental principle of a DevOps lifecycle is a development and operations approach to delivering a product that supports automation and continuous delivery. When an Information Technology (IT) Security team has to manually obtain the application code and scan it for vulnerabilities each time a DevOps team wants to perform a release, the goals of DevOps can be significantly impacted. This frequently leads to IT Security teams and their tools being left out of the release management lifecycle. The research presented in this paper will demonstrate that available pipeline plugins do not introduce significant delays into the release process and are able to identify all of the vulnerabilities detected by traditional application scanning tools. The art of DevOps is driving organizations to produce and release code at speeds faster than ever before, which means that IT Security teams need to figure out a way to insert themselves into this practice.

  • Finding Secrets in Source Code the DevOps Way Graduate Student Research
    by Phillip Marlow - June 5, 2019 

    Secrets, such as private keys or API tokens, are regularly leaked by developers in source code repositories. In 2016, researchers found over 1500 Slack API tokens in public GitHub repositories belonging to major companies (Detectify Labs, 2016). Moreover, a single leak can lead to widespread effects in dependent projects (JS Foundation, 2018) or direct monetary costs (Mogull, 2014). Existing tools for detecting these leaks are designed for either prevention or detection during full penetration-test-style scans. This paper presents a way to reduce detection time by integrating incremental secrets scanning into a continuous integration pipeline.

  • Content Security Policy in Practice by Varghese Palathuruthil - July 6, 2018 

    The implementation of Content Security Policy to leverage web browser capability in protecting a web application from cross-site scripting attack has been a challenge for many legacy web applications. Typical web applications maintained over the years accumulate a number of web pages that do not follow a consistent design. There are no widely available tools to quickly transform legacy web pages to adopt Content Security Policy. The results of this research cover the outcome of implementing a set of tools to address this need.

  • Increase the Value of Static Analysis by Enhancing its Rule Set Graduate Student Research
    by Michael Matthee - January 29, 2018 

    Static analysis tool vendors are debating whether to allow their customers a rule-set tailored to their environment. There is no empirical evidence to support each argument or counter-argument. Veracode does not accept custom rules and argues that lock-down is in their customers best interest. Checkmarx enables their customer to customize a rule-set under very special license agreements, while open-source tools such as SonarQube allow for complete customization. Putting vendor concerns and priorities aside, should the enterprise add a tailored rule-set by adding rules that enforce its secure coding standards too? More importantly, does a tailored rule-set increase the value of static code analysis to the business? In this study, four different static analysis tools Veracode, IBM AppScan, Burp Proxy Scanner and SonarQube scan a JavaScript application. After showing the limitations of the default rule-set for each scanner, the research study adds rules that cover the distinct design and coding standards of the sample application. It is not possible to add a custom rule-set to every scanner. For that reason, the experiment adds the tailored rule-set to the SonarQube platform and combines the results of the two scanning tools: the one tool enforces security standards while the other finds common flaws in the code. While prior research shows that combining the strengths of multiple code analysis tools deliver better results in general, this research study proves that a tailored rule-set improves the outcome even more. The research undertaking recommends practical steps to increase the coverage of automated static analysis and maximize its value to the enterprise.

  • The Role of Static Analysis in Hardening Open Source Intrusion Detection Systems Graduate Student Research
    by Jeff Sass - March 29, 2016 

    Intrusion analysts use the principles of network security monitoring (NSM) to help secure computer systems.

  • Agile defensive perimiters: forming the security test regression pack Graduate Student Research
    by Michael Hendrik Matthee - November 20, 2014 

    A common approach is that software delivery is realized through a set of sequential deliverables in a phased and systematic manner. The software process model of the IEEE attempts to bring order to the delivery process by identifying a set of universal artefacts and activities in software construction (Gustafson, Melton, Chen, Baker, & Bieman, 1988).

  • Survey on Application Security Programs and Practices Analyst Paper (requires membership in community)
    by Jim Bird, Frank Kim - February 12, 2014 

    Survey shows application security programs on the rise but skill are lacking.

  • Application Security: Tools for Getting Management Support and Funding Analyst Paper (requires membership in community)
    by John Pescatore - October 4, 2013 

    This paper provide tools and techniques that demonstrate the need for better application security and the appropriate level of investment.

  • Web Application Injection Vulnerabilities: A Web App's Security Nemesis? by Erik Couture - June 14, 2013 

    An ever-increasing number of high profile data breaches have plagued organizations over the past decade.

  • Which Disney© Princess are YOU? by Joshua Brower - March 18, 2010 

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Secure Authentication on the Internet by Roger Meyer - February 1, 2008 

    This paper covers current Internet authentication mechanisms and possible attacks. It helps the reader to understand todays issues with authentication mechanisms. To understand the attack vectors, one has to know the current attack trends. Authentication systems can be classified according to their resistance against common attacks. Ten different authentication systems will be introduced and classified accordingly.

  • Software Engineering - Security as a Process in the SDLC by Nithin Haridas - August 7, 2007 

    Most of the Application developers align to the Software Engineering Principles that follow through a standardized SDLC phases, but never consider or have a disciplined process to address the factor called Security in any of the phases. Does authentication and authorization mechanism (like Login and Password) on applications make them secure? Do these security considerations on developed application help them to address security in its entirety? Security attacks at the application layer have made the organizations realize the fact that security needs to be considered at the same priority as its functionality. This paper explains about how Security as a process can be incorporated or identified in the Software Engineering principles1 (SDLC phases) and how Organizations can leverage upon considering Security as an effective process within the existing development framework.

  • How to Avoid Information Disclosure when Managing Windows with WMI by Alex Timkov - July 17, 2007 

    This paper provides an introduction to accessing Windows via WMI in a secure manner.

  • Threat Modeling: A Process To Ensure Application Security by Steven Burns - October 5, 2005 

    Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.

  • A Proactive Approach Toinformation Security by Sandeep Gupta - July 24, 2004 

    Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.

  • Defeating Overflow Attacks by Jason Deckard - June 9, 2004 

    Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.

  • A Security Checklist for Web Application Design by Gail Bayse - May 2, 2004 

    Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.

  • XML Web Services Security and Web based Application Security by Chris Kwabi - September 9, 2003 

    This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.

  • A Tour of TOCTTOUs by Craig Lowery - May 23, 2003 

    This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.

  • A Web Developer's Guide to Cross-Site Scripting by Steven Cook - February 11, 2003 

    This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.

  • Web Application Security - Layers of Protection by William Fredholm - February 10, 2003 

    This paper reviews some of the large number of resources available for creating secure Web applications.

  • Designing Secure Solutions with .NET by Bill Ferreira - November 11, 2002 

    Writing secure code and knowing how the environment impacts security is important to designing secure software.

  • Secure Software Development and Code Analysis Tools by Thien La - September 30, 2002 

    The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.

  • Securely Programming in C by Sayed Ahmed - September 24, 2002 

    This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.

  • The Intrinsic Hole In Information Security by Douglas Gaer - August 15, 2002 

    The lack of type safety in the C program crates a massive hole in information security.

  • SQL Injection: Modes of Attack, Defence, and Why It Matters by Stuart McDonald - July 18, 2002 

    A look at some of the methods available to a SQL injection attacker and how they are best defended against

  • Security Techniques for Mobile Code by Nathan Macrides - July 11, 2002 

    This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.

  • Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention by Mark Donaldson - April 3, 2002 

    The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".

  • Improving Software Security During Development by Robert Usher - March 26, 2002 

    This paper will explore the basis for creating secure software and systems during development.

  • The Security Challenges of Offshore Development by Rob Ramer - September 26, 2001 

    This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.

  • Insecurity of Inputs to CGI Program by Suhairi Jawi - September 19, 2001 

    This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.