Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
  1. Wiki Markup
    Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including commandline arguments, network interfaces, environmental variables, and user controlled files \[Seacord 05\].
  2. Wiki Markup
    Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code \[[C MSC00-A|MSC00-A. Compile cleanly at high warning levels], [C+\+ MSC00-A|cplusplus:MSC00-A. Compile cleanly at high warning levels] \].
  3. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set.
  4. Wiki Markup
    Keep the design as simple and small as possible \[Saltzer 74, Saltzer 75\]. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.
  5. Wiki Markup
    Base access decisions on permission rather than exclusion means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted \[Saltzer 74, Saltzer 75\].
  6. Wiki Markup
    Every processes should execute with the the least set of privileges necessary to complete the job. Any elevated permission

    
    should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges \[Saltzer 74, Saltzer 75\].
  7. Wiki Markup
    Sanitize all data passed to complex subsystems \[[C STR02-A| STR02-A. Sanitize data passed to complex subsystems]\] such as command shells, relational databases, or commercial-off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of SQL, command, or other injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem.
  8. Wiki Markup
    Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another
    layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments shouldreduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment \[Seacord 05\]. 
  9. Wiki Markup
    Effective quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Penetration testing, fuzz testing, and source code audits should all be incorporated as part of an effective quality assurance program. Independent security reviews can lead to more secure systems. External reviewers bring an independent perspective; for example, in identifying and correcting invalid assumptions \[Seacord 05\].
  10. Develop and/or apply a secure coding standard for your target development language and platform.

...