Three Common Coding Omissions

I have worked as part of a team going into client locations and performing software security assessments.  While analyzing the findings of these assessments I have seen a common set of coding omissions that, if implemented, would eliminate the majority of the vulnerabilities that were identified.  A brief description of each follows.

1. Input Validation
   Data coming into an application from the outside is routinely trusted by developers.  The source of the data can be anything from data or configuration files to direct user input.  If the data is used directly from the input source unexpected results can occur.  These can include but are not limited to SQL Injection, Cross Site Scripting and Cross Site Request Forgery.  This situation can be avoided by validating the data before it is used.  The validation can be as simple as comparing the value to a set of known, valid values.  Validation could use regular expressions to determine if a value is valid.  This type of check can eliminate certain characters that are known to cause problems and that will not be in any valid input value.  It should become the default for a developer to include input validation anytime that any type of input comes into an application.
   
2. Error Handling
   Error handling has always been an area of discussion with developers.  A solid system for handling errors should be a part of any applications design.  All too often though this gets left out entirely or only has a loose implementation that does not account for all errors.  For web applications it is especially important to include custom error handling as opposed to allowing the default error handling to take place.  Default error handling usually discloses information about the application that the user has no business seeing.  For most users it will be meaningless but for potential attackers it could be the very piece of the puzzle that allows them to perform a successful attack.  Information that is typically leaked include database table names and column names, SQL statements, program stack traces as well as other information.  Implementing a custom error handling system that discloses very little about the application itself will avoid such information leaks.
   
3. Freeing Resources (Resource Allocation)
   Improperly managed system resources is another area that seems to get omitted often.  Whether it is allocated memory or open file handles/descriptors, system resources should be given proper management.  When this need is ignored or mishandled it can lead to a denial of service attack due to system resources becoming unavailable and the server becoming unresponsive.  Directly freeing the resources after a successful use of the resource should be done by the developer.  This is the “easy” part of resource management.  The part that is most often overlooked is the unexpected cases where, due to an error condition, the program execution path takes a direction that leaves the resource allocated although it will not be used again.  These situations should be addressed in the application so that all execution paths will result in the proper freeing of unused resources.

Of course there are other types of findings when performing the software security assessments but in my experience these three have stood out as being the most common.

Originally post at: Coveros Blog

MahJongWall Ready for the iPhone!

My friend and former college roommate, Russell Wilson, has released an iPhone version of his popular shareware (and retail) computer game Mah Jongg Wall (retail version was Mah Jongg Magic). His website is http://rwdiversions.com/. Search for MahJongWall in the AppStore from your iPhone. Go check it out!

Mom Update #10

Mom finished her outpatient therapy last week. This completes the entire managed rehab. She is still doing well. She is walking without any assistance from a walker or a cane. Tomorrow (Tuesday November 17, 2009) will be eight weeks since the knee replacement surgery. Thanks again for the emails, cards, and letters that you've been sending her way. They have really encouraged her along this journey.

Mom Update #9

It's been almost a month since my last update so I thought I would catch you up on mom's progress.

Her rehab is going really good. She is going for outpatient therapy in Alabaster 3 times a week. She has the rest of this week and then three visits next week and she will be done with the outpatient therapy. Rehab at that point will be up to her. She has continued to progress at a rate beyond the goals set by the surgeon and the therapist.

Thanks for the prayers, the cards, the gifts and the calls. It's really helped keep mom rolling through all of this. No set date yet for her going back home but she can see the light at the end of the tunnel now!

Mom Update #8

Mom had her followup appointment with the surgeon today. She is bending her knee at 97 degrees. Which is very good. He removed the staples from the incisions. He was a little concerned about how the incision looked and he gave Mom another round of antibiotics to fight away any infection that might be there. Her therapy continues to go really good. She will have in home therapy for at least another week we believe.

Mom Update #7

Mom is still making good progress. She will be discharged from the rehab facility this Friday and will then move to our home. Home health care will begin to send out a therapist at that point to continue her physical therapy. Thanks for the cards that have come in. She really has enjoyed them.

Mom Update #6

On Monday, Mom had several hours of very intense therapy but she didn't miss a beat. She did everything they ask her to. She is bending her leg to 93 degrees now. Outstanding!!! Of course there is plenty of pain that goes along with this rehab. She's making it look easy but I know she is enduring great pain. At this rate she will be doing cartwheels in no time.