Reddit reviews Writing Secure Code, Second Edition (Developer Best Practices)
We found 8 Reddit comments about Writing Secure Code, Second Edition (Developer Best Practices). Here are the top ones, ranked by their Reddit score.
We found 8 Reddit comments about Writing Secure Code, Second Edition (Developer Best Practices). Here are the top ones, ranked by their Reddit score.
> Supponiamo che uno (anzi, più di uno visto che siamo tutti componenti di un LUG) voglia iniziare a smanettare un po' in quest'ambito, che cosa consigli?
di farlo :)
> Mettere su un webserver e iniziare a tentare di bucarlo con gli exploit conosciuti può essere una buona idea oppure è meglio prima procedere con altro?
Tutto fa brodo (mi', ventesimo proverbio, mi sto biscardizzando :). Però per prima cosa devono essere chiare le problematiche agli strati più bassi: boot da media esterno, forensics "malevola" (accesso al fs, reset delle password, estrazione delle password, trojanizzazione dell'OS, ..), MITM e i suoi derivati, poi nmap e network/service discovery come se piovesse, analisi di tutti i servizi esposti, poi "finalmente" potete dedicarvi anche alla parte (web) applicativa.. :)
Ci sono moltissimi "playground" per divertirsi ed imparare, sia come vm da scaricare che contest, crackme & co. online, alcuni al volissimo:
(copio & incollo dal sorgente che usiamo per generare la documentazione che distribuiamo a corsi & co, spero mantenga la formattazione - non è aggiornatissimo):
Esercizi
Elenco di applicazioni vulnerabili che possono essere utilizzate per imparare/approfondire le vulnerabilità nelle applicazioni web:
Elenco di applicazioni vulnerabili da altri siti:
Libri consigliati
Metodologie e check-list
Cheat sheets
> Da esperto di sicurezza, hai qualche consiglio su qualche "giochino" da far vedere in conferenze e relazioni per sensibilizzare le persone sull'argomento? Attualmente noto che fa molta presa questo iter (che è più sensazionalistico che altro):
> creo una rete wifi aperta senza dir loro nulla e aprendo wireshark
> durante la conferenza loro ovviamente la utilizzano senza pensarci troppo
> a fine conferenza mostro loro quante cose avrei potuto prelevare se solo avessi voluto
Ehm.. sarà anche sensazionalistico, ma lo faccio spesso anche io, con anche la parte di MITM sui certificati in automatico. Anche phishing/malware via mail, magari con split screen (cosa fa l'utente, cosa si vede sul "back-end"), con uno dei vari tool che ci sono metasploit, beef o con banali 10 righe di (linguaggio di scripting web a tua scelta).
The values in memory for things like round count, rate of fire, accuracy and recoil were all trusted implicitly from the client with zero validation. Magazine holds a couple hundred thousand bullets? Sounds legit. These all count as user input as they come from an untrusted source (unprotected memory).
If you would like to know more this is a good book.
Every other multiplayer shooter manages to detect people using magazines that held 999,999,999 bullets and shot at 99,999 rounds per minute.
https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751
https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228
Ah, yes, but that depends on how you define 'quality', i suppose. I'm not sure that support for CSS 2.1 is important to them (i can only guess). What i do know, is that the procedure i have witnessed when doing my graduate project at MDCC was rather elaborate and thorough. There are actually books ( 1, 2. Both required reading for every MS developer) that describe their security assurance process quite well, if you should be interested. Well, almost. Their internally developed system for automated code review (which is applied as a supplement - not a replacement - to the manual review) is not discussed, but i can assure you that it is quite fabulous.
Has anyone read both Writing Secure Code 2nd edition and the first edition?
Is the 2nd edition talking about really awesome things that are worth my time or is it incremental?
Understand the principle of least privilege and privilege separation. Understand why security through obscurity is not a good strategy.
Understand built-in access controls for your OS and other products (SQL) and how they apply to the above principles. If you can't accomplish least privilege through the built-in access controls, then write a service that performs validation and restricts access between the other two software components.
Also, if you're working with a database, know about SQL injection and how to avoid it (use parameterized queries).
The following should be your baseline level of knowledge for building networked applications that handle user credentials:
You don't need to know in detail how the algorithms work, but you should understand the overall idea, what kinds of attacks they prevent, and how to apply them properly.
The best thing you can do is find a good book on security that goes into principles and practical examples and read it cover-to-cover. I used Writing Secure Code, but this book is pretty Windows-specific and deals a lot with the Windows API.
Senior Level Software Engineer Reading List
Read This First
Fundamentals
Development Theory
Philosophy of Programming
Mentality
Software Engineering Skill Sets
Design
History
Specialist Skills
DevOps Reading List
Unfortunately, most of the university programs lag significantly behind industry. I've interviewed candidates with graduate degrees in cybersecurity that were not aware of most modern techniques used to find persistent adversaries. The good things those programs provide is a broad coverage of information security as a whole.
I saw you mention "finding the vulnerabilities before the bad guys do". Unfortunately, in the real world the code is either unpublished and you're a software security consultant, analyst, or tester, or it is published and you're fixing a hole that the adversary has already discovered. If your interest is in the software security side, I would recommend two books above all others.
The 24 Deadly Sins of Software Security: https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0
Writing Secure Code: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228/ref=sr_1_1?s=books&ie=UTF8&qid=1499038741&sr=1-1&keywords=writing+secure+code
That said, there is also a lot of work in the systems engineering side of the house - along the lines of credential theft and secure enterprise design. If you think this might be interesting to you, I would recommend reading papers such as these:
Microsoft Pass the Hash Whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=36036
Think Like a Hacker (shameless plug for my book): https://www.amazon.com/Think-Like-Hacker-Sysadmins-Cybersecurity/dp/0692865217/ref=sr_1_sc_1?ie=UTF8&qid=1499038880&sr=8-1-spell
Cybersecurity is typically broken into various subfields, such as reverse engineering, forensics, threat intelligence, and the like - each with its own set of tools and skills. Ultimately, I would recommend attending a decent hacking conference such as DEFCON, DerbyCon, ShmooCon, or the like to get familiar with the field.