IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [programming]

Programming is the act of issuing commands that a computer system executes, via certain interfaces called programming languages.

121 questions
134
votes
19 answers

Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?

I work at a company with a staff of about 1000+. We currently have programming development staff that work on web based projects (approx 50 people). Recently due to security concerns our IT and Security department implemented a restriction no…
TroySteven
  • 1,329
  • 2
  • 7
  • 11
81
votes
19 answers

Good analogy needed: Sec issues due to different coders implementing the same features in different ways for the same app

I have to give a school presentation about vulnerabilities found in the Moodle platform. Of course, they only apply to a legacy version which has since been patched. The catch is that the presentation should be aimed at an audience with no technical…
SuperSpitter
  • 833
  • 1
  • 6
  • 5
79
votes
10 answers

Would it be good secure programming practice to overwrite a "sensitive" variable before deleting it?

Is it good secure programming practice to overwrite sensitive data stored in a variable before it is deleted (or goes out of scope)? My thought is that it would prevent a hacker from being able to read any latent data in RAM due to data-remanence. …
Jonathan
  • 3,157
  • 4
  • 26
  • 42
57
votes
11 answers

Are there "secure" languages?

Are there any programming languages that are designed to be robust against hacking? In other words, an application can be hacked due to a broken implementation, even though the design is perfect. I'm looking to reduce the risk of a developer…
TruthOf42
  • 835
  • 1
  • 7
  • 12
52
votes
5 answers

Teaching "Secure by Design"

I'm a Security Architect, and I'm used to defining the security of project as a specification that gets carried out by others. I have been recently tasked with teaching new coders how to design and program using the principles of "Secure by Design"…
schroeder
  • 123,438
  • 55
  • 284
  • 319
51
votes
9 answers

Writing my own encryption algorithm

I am currently studying IT at college (UK college aka not University) and the coursework is boring me to death. I have been coding for quite a while now mainly in OO languages such as C# and Java but often get bored and give up quickly because the…
Confuto
  • 647
  • 1
  • 6
  • 6
37
votes
6 answers

Teaching a loved one about secure coding practices

This might be far too narrow, but it is a unique problem to ITSec professionals. A loved one is just starting out in a new programming career and I get the joy of watching her learn the most basic programming concepts from scratch. She is at the top…
schroeder
  • 123,438
  • 55
  • 284
  • 319
34
votes
4 answers

Which security measures does PyPI and similar third-party software repositories take?

PyPI is a third-party software repository for Python packages. Everybody can upload packages to it (see The Python Package Index (PyPI)). How does PyPI prevent people from uploading malware? When I am searching for software, how can I be (more)…
Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
32
votes
8 answers

What defines a programming language as useful for hacking?

I know that scripting languages (Perl, Ruby, Python, javascript, and even Lua!!!) are most suitable for hacking and penetration testing. My question is: What is it that makes those languages suitable? From what I know, they are slower than other…
NlightNFotis
  • 1,130
  • 1
  • 10
  • 18
27
votes
7 answers

At what level of abstraction should a developer work with with regards to cryptography?

I have recently came across an old blog post by Jeff Atwood which got me thinking. What could be easier than a EncryptStringForBrowser() method which has security and tamper-resistance built in, that's part of a proven, domain-expert-tested set of…
user10211
23
votes
3 answers

Simple string comparisons not secure against timing attacks

As I learned in a comment for How to encrypt in PHP, properly?, I was told using a string comparison like the following in PHP is susceptible to timing attacks. So it should not be used to compare two MACs or hashes (also password hashes) for…
evildead
  • 604
  • 1
  • 4
  • 14
22
votes
5 answers

Timing Safe String Comparison - Avoiding Length Leak

Let's say that we're building a generic timing-safe comparison function for general purpose use. Making it so that it is safe when both strings are equal length is pretty well known. However, what I'm not sure about is how we can make it safe if the…
ircmaxell
  • 1,416
  • 12
  • 16
20
votes
6 answers

Becoming a malware analyst?

So, I'm currently 16 and am considering a career in IT when I finish school. The thing that has intrigued me the most while growing up is malware. I've come across it so often and have often had to clean it up for family and friends (I also did it…
TheMaster
  • 303
  • 2
  • 5
19
votes
5 answers

Would the Heartbleed bug have been prevented if OpenSSL was written in Go/D/Vala?

IIUC the Heartbleed vulnerability happens due to a bug in the C source code of OpenSSL, by performing a memcpy() from a buffer that is too short. I'm wondering if the bug would have been prevented automatically in other languages that have…
oliver
  • 541
  • 4
  • 10
18
votes
7 answers

Why are security-crucial software written in unsafe languages?

This may be a stupid question, but... Why are security-crucial software written in languages such as C and C++? I understand why, say, an embedded system might need a low-level language to make the most use of limited resources, but it seems foolish…
ithisa
  • 566
  • 4
  • 11
1
2 3
8 9