IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [secure-coding]

142 questions
79
votes
10 answers

Would it be good secure programming practice to overwrite a "sensitive" variable before deleting it?

Is it good secure programming practice to overwrite sensitive data stored in a variable before it is deleted (or goes out of scope)? My thought is that it would prevent a hacker from being able to read any latent data in RAM due to data-remanence. …
Jonathan
  • 3,157
  • 4
  • 26
  • 42
57
votes
11 answers

Are there "secure" languages?

Are there any programming languages that are designed to be robust against hacking? In other words, an application can be hacked due to a broken implementation, even though the design is perfect. I'm looking to reduce the risk of a developer…
TruthOf42
  • 835
  • 1
  • 7
  • 12
55
votes
5 answers

Should security-critical code be reused or rewritten?

Usually, in programming, reusing code is always a better idea than writing your own implementation of an algorithm. If an implementation has been around for a long time and is still used by lots of projects, it is likely to be pretty well designed…
Hadrien G.
  • 795
  • 5
  • 13
44
votes
8 answers

Does an application purely for intranet use by employees need secure software design or to follow OWASP guidelines?

I'm developing an application over an intranet and is used only by an internal employee. There wouldn't be any external parties involved here and no external communication would be used by the application. Does it need secure software design in…
Gaming
  • 541
  • 4
  • 4
41
votes
7 answers

What are some important concepts to teach developers about cross-site scripting (XSS)?

I'm helping with a one-hour training for developers (~100 of them) on cross-site scripting. What are some concepts you think are indispensable to get across to them? Right now we have: Difference between reflected and stored Layers of defense…
mcgyver5
  • 6,807
  • 2
  • 24
  • 45
40
votes
2 answers

Why is there no web client for Signal?

I’ve read about E2EE (end to end encryption) of Signal in web clients on a Signal Community discussion forum, and wonder why they say that the browser is insecure for E2EE and native apps are secure. I think the security issues for clients are the…
SeyyedKhandon
  • 517
  • 1
  • 4
  • 7
24
votes
4 answers

Can I trust public code versioning platforms when building a social platform?

We are developing a kind of social platform. It starts as a closed beta for a limited number of users, but the goal is to reach millions of subscriptions. We are currently limited on resources, both infrastructure and e.g. DevOps. So we are using…
ooouuiii
  • 389
  • 2
  • 6
16
votes
5 answers

How many rounds of hashing is enough for a password manager?

I'm currently writing my own little password manager that stores the key in a SHA256 hash, with salt. I create the hash by doing the following: def sha256_rounds(raw, rounds=100001): obj = hashlib.sha256() for _ in xrange(rounds): …
CertifcateJunky
  • 481
  • 1
  • 4
  • 13
11
votes
4 answers

How secure is the use of fingerprints (like Apple's TouchID) for authentication in banking apps?

We are working on the development of a banking app and for customers. We need to implement TouchID in Apple's iOS and a fingerprint check in Android. Firstly, what are the possible security risks and considerations related to this technology?…
Kris
  • 211
  • 2
  • 3
8
votes
3 answers

Is initializing variable to NULL or 0 or -1 a bad practice from security standpoint?

I'm trying to learn little bit about armoring application against reverse engineering. In one article I read that initializing variables to NULL or 0 or -1 is as secure (vs RE) as using common passwords in applications. In short, it is said we…
StupidOne
  • 2,802
  • 21
  • 35
8
votes
6 answers

Does having no 'if' blocks in code mitigate side-channel attacks?

Looking through descriptions of Spectre and Meltdown it seems that speculative execution - the basis for these attacks - occurs only with branched code. Therefore, it seems logical to conclude that having no if statements would preclude speculative…
postoronnim
  • 375
  • 3
  • 10
7
votes
1 answer

What is preventing us to start using scrypt in production ?

After a lot of reading the expert opinion on password hashing, I understand that scrypt (which is both memory hard and CPU intensive) is a good candidate for password hashing. But I saw the experts recommending a wait of at least 5 years until it is…
acthota
  • 275
  • 1
  • 7
7
votes
3 answers

Is it ok for software to store passwords locally in plain-text?

There are already plenty of questions about what to do when websites store plain-text passwords. But this one is a little different. I use a piece of open-source (see below) software for playing games. It requires a user account that isn't directly…
Selali Adobor
  • 184
  • 1
  • 7
7
votes
2 answers

In C, not using 'void' if a function does not accept any argument is a potential vulnerability

In CERT secure coding standard, there is a recommendation that "Always specify void even if a function accepts no arguments". A possible security vulnerability is proposed in it. /* Compile using gcc4.3.3 */ void foo() { /* Use asm code…
Jor-el
  • 2,061
  • 17
  • 24
7
votes
3 answers

Setting a limit on password recovery attempts

in a setting where one has forgotten their password, I'd like to be able to limit the attempts of entering in email addresses to something like 10. My first thought was to use a cookie. $attempts = 0; if( isset(…
Tony
  • 71
  • 1
  • 3
1
2 3
9 10