IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [source-code]

Security relative to source-code edition, protection and management.

Use this tag when:

  • Your asking a question on how to protect or manage or securely edit your source code.
  • You need to audit a source-code against security matters
  • You need to assess risks about source-code security

Do not use this tag because

  • You are posting source-code in your question
  • You are requesting source-code
230 questions
127
votes
8 answers

Why is storing passwords in version control a bad idea?

My friend just asked me: "why is it actually that bad to put various passwords directly in program's source code, when we only store it in our private Git server?" I gave him an answer that highlighted a couple of points, but felt it wasn't…
d33tah
  • 6,524
  • 8
  • 38
  • 60
124
votes
7 answers

Is using Git for deploying a bad practice?

I tend to use Git for deploying production code to the web server. That usually means that somewhere a master Git repository is hosted somewhere accessible over ssh, and the production server serves that cloned repository, while restricting access…
Septagram
  • 1,343
  • 2
  • 9
  • 5
92
votes
7 answers

How do I know a piece of software only does what the author claims?

Without being a programmer or a computer expert, how can I know if a particular program or any piece of software in general doesn't have hidden unwanted functions compromising privacy and security?
user3533
  • 989
  • 6
  • 7
87
votes
6 answers

How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?

I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm just stating what I personally use for the sake…
Paranoid Android
  • 711
  • 1
  • 4
  • 4
85
votes
6 answers

How do large companies protect their source code?

I recently read the canonical answer of our ursine overlord to the question on How do certification authorities store their private root keys? I then just had to ask myself: How do large companies (e.g. Microsoft, Apple, ...) protect their valuable…
SEJPM
  • 9,500
  • 5
  • 35
  • 66
76
votes
19 answers

What security resources should a white-hat *developer* follow these days?

What sites, twitter accounts, FOSS software should a white-hat code 'hacker' follow these days? Do Include: Late breaking information on new security issues (RSS, Twitter, etc) A website that tracks unpatched security issues per vendor Twitter…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
69
votes
7 answers

Does one need to be a good programmer to perform secure source code analysis?

A person has good knowledge of overall security risks, knows what OWASP Top 10 vulnerabilities are, and has certifications like CEH, CISSP, OSCP, etc. which are more black-box testing. And also he has gone through the OWASP Testing Guide, Code…
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
55
votes
5 answers

Should security-critical code be reused or rewritten?

Usually, in programming, reusing code is always a better idea than writing your own implementation of an algorithm. If an implementation has been around for a long time and is still used by lots of projects, it is likely to be pretty well designed…
Hadrien G.
  • 795
  • 5
  • 13
46
votes
15 answers

Should we protect web application source code from being stolen by web hosts through obfuscation?

Is it worth to obfuscate a java web app source code so that the web host cannot make wrong use of the code or even steal your business? If so, how should this be dealt with? How should we obfuscate? We are a new start up launching a product in…
Rajat Gupta
  • 741
  • 1
  • 6
  • 8
45
votes
3 answers

How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

How safe are signed git tags? Especially because git uses SHA-1. There is contradictory information around. So if one verifies a git tag (git tag -v tagname), then checksouts the tag, and checks that git status reports no untracked/modified files,…
adrelanos
  • 680
  • 7
  • 21
45
votes
8 answers

Should I bother teaching buffer overflows any more?

The students are skeptical that turning off non-executable stacks, turning off canaries and turning off ASLR represents a realistic environment. If PaX, DEP, W^X, etc., are effective at stopping buffer overflow exploits, is there still value in…
Fixee
  • 1,545
  • 2
  • 15
  • 24
40
votes
5 answers

How should source code security be checked?

How to check whether the source code of an open-source project contains no malicious content? For example, in a set of source code files with altogether 30,000 lines, there might be 1-2 lines containing a malicious statement (e.g. calling curl…
tonychow0929
  • 2,247
  • 3
  • 13
  • 14
34
votes
4 answers

Which security measures does PyPI and similar third-party software repositories take?

PyPI is a third-party software repository for Python packages. Everybody can upload packages to it (see The Python Package Index (PyPI)). How does PyPI prevent people from uploading malware? When I am searching for software, how can I be (more)…
Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
31
votes
0 answers

Can you prove that an open source program is running the same code that it claims to be?

So if a group has made open source software, and the source code is available on github, and is bundled with an executable in their main download, can it be proven that the executable is compiled from the source code that is on github, and not…
puser
  • 411
  • 3
  • 3
31
votes
4 answers

Is $_SERVER[ ] a safe source of data in PHP?

Can I 100% rely on $_SERVER[] to be a safe source of data that I do not need to sanitized like I do $_GET[] and $_POST[]?
user2079272
  • 419
  • 1
  • 4
  • 4
1
2 3
15 16