Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [secure-coding]

15 questions
15
votes
0 answers

Is there a reasonable way for a TypeScript class to derive from a Dojo/Dijit class?

DefinitelyTyped has a Dojo solution which uses named modules and may work with legacy Dojo and explicit typing. But these declarations do not facilitate TypeScript import, since there are no anonymous modules. It seems to be a more exhaustive and…
Corey Alix
  • 251
  • 1
  • 6
6
votes
3 answers

Login on every page requires SSL on all pages

Our website has a login form that shows up in the header on every page on the website. This is what my boss wants however we need to get PCI compliant and it says any sensitive form (login/password) requires SSL. So does that mean the entire website…
Danny
  • 163
  • 4
5
votes
3 answers

Examining source code for maliciousness and security vulnerabilities

What are some techniques in determining if a particular piece of source code is malicious or vulnerable to malicious attack? I am currently using cppcheck and I am waiting on an install of Rational AppSource. Aside from that and reviewing the…
Engineer2021
  • 3,238
  • 5
  • 28
  • 32
5
votes
1 answer

Are there widely-accepted guidelines to write safe C? How do people learn that?

C often seems to be taught in terms of contracted examples without much regard to code safety, such as buffer overflows etc. I have often wondered if there are proven, totally safe ways of writing C code, because I have seldom encountered C written…
Felix Dombek
  • 2,109
  • 1
  • 16
  • 24
5
votes
2 answers

Web application development security best practices

I am looking for the current, state of the art, coding standards for web development (mostly PHP). Since I do not want to reinvent the wheel I would like to reuse libraries written by people much clever than I am. I know about OWASP which is a…
WoJ
  • 1,551
  • 1
  • 11
  • 16
5
votes
4 answers

Are there languages that make it easier to understand secure coding principles?

I'm interested in expanding my knowledge of security issues: things like buffer overflows, format string vulnerabilities, etc. I'd like to be able to go through a language and understand its security implications and pitfalls to get a better…
Atul Goyal
  • 781
  • 5
  • 11
3
votes
3 answers

Is checking return values always required?

We know that checking return values prevent our software from unexpected states. (You can see CWE definition.) But, we are sometimes sure about the return value. For example: bool calculateSquareRootReturnFalseIfInputIsNegative(float input, float&…
Q Q
  • 359
  • 2
  • 8
3
votes
1 answer

What procedures or audits should be used to assess the security of a software system?

Are there any standardised security procedures or auditing techniques that can be used to assess the security of a piece of software? I'm specifically interested in auditing software written in Java, but other tips for other languages as well as…
Richard Warburton
  • 1,042
  • 2
  • 9
  • 14
2
votes
1 answer

Best practice to avoid unintentional side-effects in powershell-scripts

I recently wrote a small PowerShell script to clean a Visual Studio solution. It's used by a small team of 5 persons on a regular basis. I built it in PowershellISE (GUI client) and it works great, but some time later I ran it from Cmd and then…
David
  • 275
  • 2
  • 10
2
votes
1 answer

Security Pattern to store SSH Keys

I am writing a simple flask application to submit scientific tasks to remote HPC resources. My application in background talks to remote machines via SSH (because it is widely available on various HPC resources). To be able to maintain this…
mehdix
  • 221
  • 2
  • 7
1
vote
1 answer

What kind of processes or static alaysis would you use to catch impropper buffer bugs such as the one that caused heartbleed?

What kind of process or static analysis would catch the heart bleed bug other than human code reviews which we already know failed. The Fix Commit is here.
Usman Ismail
  • 314
  • 2
  • 9
0
votes
1 answer

Is it possible to secure both web page and web API access with a JWT?

I am trying to wrap my head around having a secure WEB API and at the same time securing the client that accesses the WEB API. I am hoping someone can point me in the right direction. Here is my scenario. I have developed a WEB API that has an…
Dave
  • 111
  • 1
0
votes
1 answer

Sending Out Functions To Return Or To Die

Which is preferable for both solid technique and secure coding? Example #1: function_one() blah; function_two() blah; print blah; exit; ... Example #2: function_one() blah; function_two() blah; …
user58446
  • 327
  • 2
  • 9
0
votes
1 answer

Is sending data to a server via a script tag an outdated paradigm?

I inherited some old javascript code for a website tracker that submits data to the server using a script url: var src = "http://domain.zzz/log/method?value1=x&value2=x" var e = document.createElement('script'); e.src = src; I…
KingOfHypocrites
  • 394
  • 3
  • 12
-2
votes
4 answers

Prevent users cheating a view count

I wrote a small video library app. It renders private Vimeo videos for paid subscribers. The owners of the app would like to reward users who watch videos. My first implementation was to trigger a watched mutation at 80% of the video playback (this…
hsimah
  • 99
  • 3