SecureProgramming.com

Access Control

The Challenge of Least Privilege [View Detail]
http://msdn.microsoft.com/library/en-us/dncode/html/secure06112002.asp

A good introduction to the principle of least privilege from Mike Howard, co-author of Writing Secure Code.

Anti-Tampering

A Taxonomy of Obfuscating Transformations [View Detail]
http://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html

This discussion of basic code obfuscation techniques was the first resource to congregate and classify common obfuscating transformations.
Anti-debugging in Win-32 [View Detail]
http://vx.netlux.org/texts/html/lj_vx03.html

A good discussion of anti-debugger techniques for Windows platforms.
Linux Anti-Debugging Techniques [View Detail]
http://vx.netlux.org/lib/vsc04.html

An article by Silvio Cesare: "This article describes anti debugger techniques for x86/Linux (though some of these techniques are not x86 specific). That is techniques to either fool, stop, or modify the process of debugging the target program. This can be useful to the development of viruses and also to those implementing software protection."

Authentication

"Secure a Web Application, Java-style" [View Detail]
http://www.javaworld.net/javaworld/jw-04-2000/jw-0428-websecurity.html

An article on adding authentication and access control to web-based Java applications.
Dos and Don'ts of Client Authentication on the Web [View Detail]
http://www.pdos.lcs.mit.edu/papers/webauth:sec10.pdf

By Kevin Fu, Emil Sit, Kendra Smith and Nick Feamster. Published in the 10th USENIX Security Symposium (2001).
Web Spoofing: An Internet Con Game [View Detail]
http://www.cs.princeton.edu/sip/pub/spoofing.pdf

This lucid paper shows how one can easily make a web browser appear to be accessing a particular site directly, when one is really accessing a hacker's site.

Code Auditing

Attack Trees [View Detail]
http://www.counterpane.com/attacktrees-ddj-ft.html

Attack trees are a tool for threat modeling taken from the reliabiltiy concept of 'Fault Trees'. This article comes from Bruce Schneier.
Code Auditing Basics [View Detail]
http://www.sdmagazine.com/documents/s=818/sdm0208a/

An overview of code auditing tools and techniques, focusing on architectural review.
Practical Code Auditing [View Detail]
http://www.daemonkitty.net/lurene/papers/Audit.pdf

A guide to finding common security problems in source code and binaries (particularly the well-known problems in C programs). It doesn't cover tools to automate the process.
Threat Modeling [View Detail]
http://www.devx.com/codemag/Article/10338

A great article on threat modeling by Microsoft's software security guru.

General / Miscellaneous

Will software development be hit by a Cyclone? [View Detail]
http://www.securityfocus.com/guest/9094

An overview of the Cyclone programming language as of Dec. 2001. Cyclone is a dialect of C that avoids common security issues (particularly the buffer overflow).
"A Programmers Checklist" [View Detail]
http://www.aspalliance.com/chrisg/default.asp?article=1

A checklist with some basic things that web developers should ensure before deployment, originally intended for an ASP audience, but widely applicable.
Best Practices for Secure Development [View Detail]
http://members.rogers.com/razvan.peteanu/best_prac_for_sec_dev4.pdf

Guidelines for secure program development. It's a somewhat cursory overview, so one should suppliment with one of the better introductory books.
Eavesdropping Risks of CRT Displays [View Detail]
http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf

A discussion of how to eavesdrop on a CRT from a distance without using the Van Eck approach, even without direct line of site. This is a risk many system designers fail to consider. The widespread belief is that such attacks aren't practical, but they are.
Federal Agencies Tackle Software Security [View Detail]
http://msnbc-cnet.com.com/2100-7348_3-5053545.html?tag=lh

"Five federal agencies, led by the U.S. Department of Energy, plan to discuss a new set of government contracting practices that hold software makers accountable for making their products more resistant to viruses and hackers. "
Fending Off Future Attacks by Reducing Attack Surface [View Detail]
http://msdn.microsoft.com/library/en-us/dncode/html/secure02132003.asp

Michael Howard discusses why you should reduce the amount of code that is open to future attack by installing only the needed features of a product.
OWASP Top Ten Web Application Vulnerabilities [View Detail]
http://www.owasp.org/documentation/topten

This is a high-level discussion of some of the major security issues affecting web applications.
Scrubbing Secrets in Memory + Cross-Site Scripting Remediation [View Detail]
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp

A description of problems with the traditional scrubbing of data in memory. Plus, a discussion of an Internet Explorer extension to cookies (HttpOnly) that mitigates cross-site scripting problems.
Secure Programming Techniques [View Detail]
http://www.onlamp.com/pub/a/onlamp/excerpt/PUIS3_chap16/index3.html

An excerpt of the Secure Programming advice from the book Practical Unix & Internet Security. It's a good overview, but supplement it with dedicated references. The article has three parts, and the link is to the final part. Follow the links to the first two portions.
The Right Mentality Is Half the Battle [View Detail]
http://www-106.ibm.com/developerworks/linux/library/l-sp1.html

An article aimed at getting developers into a good mindset for secure programming. The first article in a series written by David Wheeler and published by IBM's DeveloperWorks.
The Web Services Security Specification [View Detail]
http://www-106.ibm.com/developerworks/library/ws-secure/

Extensions to SOAP messaging to provide message integrity, secrecy, etc.
Twelve Rules for developing more secure Java code [View Detail]
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html

A very high-level article of early tips for more secure Java programming. It is a good set of guidelines to keep in mind, but there are many practical worries one should have beyond what is covered in this article.
When XML Gets Ugly [View Detail]
http://www.xml.com/pub/a/2000/02/xtech/megginson.html

Risks with XML over the web.

Input Validation

A Study In Scarlet: Exploiting Common Vulnerabilities in PHP Applications [View Detail]
http://www.securereality.com.au/archives/studyinscarlet.txt

This article gives a good overview of common security problems in PHP applications.
Advanced Doug Lea's malloc exploits [View Detail]
http://www.phrack.org/phrack/61/p61-0x06_Advanced_malloc_exploits.txt

This paper discusses more generic and reliable techniques for overwriting arbitrary 4-byte memory locations when malloc() calls are misused. The focus is on exploiting Linux's default malloc() implementation.
Advances in Format String Exploitation [View Detail]
http://www.phrack.org/phrack/59/p59-0x07.txt

This article demonstrates how practical exploiting format string problems can be.
Basic Integer Overflows [View Detail]
http://www.phrack.org/phrack/60/p60-0x0a.txt

An introduction to integer overflow problems.
Best practices for input validation with Active Server Pages [View Detail]
http://heap.nologin.net/aspsec.html

An introduction to avoiding common input validation problems in an ASP environment.
Bypassing StackGuard and StackShield [View Detail]
http://www.phrack.org/phrack/56/p56-0x05

This article demonstrates clearly that many of the low-cost buffer overflow protection techniques (i.e., anything short of bounds checking) can be circumvented, at least in some common cases.
Cross-Site Scripting [View Detail]
http://www-106.ibm.com/developerworks/security/library/s-csscript/

A decent overview of cross-site scripting from IBM DeveloperWorks.
Exploiting Format String Vulnerabilities [View Detail]
http://www.team-teso.net/releases/formatstring.pdf

This article demonstrates how to exploit format string problems in the C standard IO library.
Frame Pointer Overwriting [View Detail]
http://www.phrack.org/phrack/55/P55-08

A discussion on how one can exploit buffer overflows when one can only overwrite the frame pointer, and not the return address. This method can thwart some stack protection techniques, and should lead you to be cautious about defense mechanisms for dealing with buffer overflows.
Introduction to Input Validation with Perl [View Detail]
http://www.developer.com/lang/print.php/861781

A good article on input validation in Perl programs.
JSP Security [View Detail]
http://www.developer.com/java/article.php/883381

An overview of input validation problems in Java Server Pages.
Once Upon A Free() [View Detail]
http://phrack.org/phrack/57/p57-0x09

This article shows off how to exploit memory allocation routines to write to arbitrary memory locations in common circumstances.
Perl CGI Problems [View Detail]
http://www.phrack.org/phrack/55/P55-07

This Phrack article describes some highly sinister (i.e., non-obvious) security risks in Perl. It was the first article to demonstrate how easy it is to introduce exploitale data input problems into Perl programs.
Secure Programming in PHP [View Detail]
http://www.zend.com/zend/art/art-oertli.php

Another introduction to input validation dangers in PHP, including SQL injection problems.
Session Fixation [View Detail]
http://www.acros.si/papers/session_fixation.pdf

A discussion on a certain category of session ID problems. Session ID problems plague web applications.
Smashing C++ VPTRS [View Detail]
http://www.phrack.org/phrack/56/p56-0x08

This article shows how dynamic binding can be exploited when there's a buffer overflow in a program. That is, this is yet another way to take a buffer overflow and potentially turn it into an exploit.
Smashing the Stack for Fun and Profit [View Detail]
http://www.phrack.org/phrack/49/P49-14

This is an often cited article that shows how to exploit simple stack overflows in a manner that is lucid for anyone who knows a little bit of assembly.
SQL Injection [View Detail]
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

This is a good discussion of risks in systems where applications use databases via SQL.
Taking Advantage of Non-Terminated Adjacent Memory Spaces [View Detail]
http://www.phrack.org/phrack/56/p56-0x0e

Yet another way in which buffer overflows can lead to actual security exploits (return address overwriting and frame pointer overwriting being some common alternatives).
Validating Input [View Detail]
http://www-106.ibm.com/developerworks/linux/library/l-sp2.html

An overview of input validation principles.
When Output Turns Bad: Cross-Site Scripting Explained [View Detail]
http://msdn.microsoft.com/library/en-us/dncode/html/secure07152002.asp

A clear explanation of cross-site scripting issues from Mike Howard, co-author of Writing Secure Code.

Networking

Security Problems in the TCP/IP Protocol Suite [View Detail]
http://www.research.att.com/~smb/papers/ipext.pdf

This paper from Steve Bellovin describes fundamental risks in the TCP/IP protocol that applications are generally responsible for solving.
Seven Common SSL Pitfalls [View Detail]
http://www.onlamp.com/pub/a/onlamp/2002/06/27/openssl.html

This article demonstrates how SSL is commonly misused. The biggest problem mentioned is poor certificate validation, which usually leads to the possibility of man-in-the-middle attacks. A vast majority of all SSL deployments suffer from one or more of the problems in this article.

Random Numbers

Cryptanalytic Attacks on Pseudorandom Number Generators [View Detail]
http://www.counterpane.com/pseudorandom_number.html

A paper by Kelsey, et al. describing common classes of attacks on pseudo-random number generators. In Fast Software Encryption, 1998.
Randomness and the Netscape Browser [View Detail]
http://www.ddj.com/documents/s=965/ddj9601h/

A good demonstration of how bad random number infrastructures can lead to real-world problems.
Randomness Recommendations for Security [View Detail]
http://www.ietf.org/rfc/rfc1750.txt

RFC1750 describes best practices circa 1994 on collecting entropy and producing random numbers from it.

Symmetric Cryptography

Differential and Linear Cryptanalysis [View Detail]
http://www.ddj.com/documents/s=965/ddj9601d/

A high-level overview of some important cryptanalytic techniques. Free registration required.

Unix Programming

Delivering Signals for Fun and Profit [View Detail]
http://razor.bindview.com/publish/papers/signals.txt

A discussion on how race conditions in signal handlers can lead to very real security vulnerabilities.
Problems with mkstemp() [View Detail]
http://razor.bindview.com/publish/papers/mkstemp.txt

A discussion on how tmp file sweepers can thwart temporary file creation mechanisms.
setuid Demystified [View Detail]
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf

A great discussion on how the setuid privilege model works on Unix systems (particularly as it relates to how privileges are SUPPOSED to work).
Smashing the Kernel Stack for Fun and Profit [View Detail]
http://www.phrack.org/phrack/60/p60-0x06.txt

This article looks at implementation errors in OpenBSD system calls, and how they turn into exploitable security vulnerabilities. The material is applicable to other platforms... OpenBSD is just a platform for a case study.

Windows Programming

Code Access Security in the .NET Framework [View Detail]
http://www.vb2themax.com/HtmlDoc.asp?Table=Articles&ID=500

An introduction to the .NET security model for assigning permissions to executable code.
Reviewing Code for Integer Manipulation Vulnerabilities [View Detail]
http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp

One of Mike Howard's secure programming columns for Windows programmers. The goal of this article is to teach developers how to identify integer signedness errors, particularly in code they've already written.
Win32 Buffer Overflows (Location, Exploitation and Prevention) [View Detail]
http://www.phrack.org/phrack/55/P55-15

As with most Phrack articles on buffer overflows, this article does require some understanding of asm. But it's a lucid read if you have that understanding.

All trademarks and copyrights on this page are owned by their respective owners. Copyrights on submitted material are copyrighted by the submitter. Everything else is Copyright © 2003 by John Viega and Matt Messier. Click here for licensing information regarding the use of recipes on this site and from The Secure Programming Cookbook for C and C++.