It is important that configuration management functionality is accessible only by authorized operators and administrators. A key part is to enforce strong authentication over your administration interfaces, for example, by...
Last week, I grumbled over the fact that a student can graduate with a Computer Science and Software Engineering degree and had zero exposure to software security . Huh? Doesn’t our society and business literally run on...
For years everyone from Mary Ann Davidson (CSO or Oracle) to OWASP to DHS (in their “Build Security In” initiative with SEI) have been bemoaning the fact that our universities do not adequately train software engineering...
When developing an application, it is best to define security objectives and requirements early in the process. Security objectives are goals and constraints that affect the confidentiality, integrity, and availability of...
Write a class or library dedicated to error handling. Centralized error handling is easier to test and implement correctly. Handling errors is important for security, so better error handling improves security. Perform the...
What to Do
Applications should assume that all of their input is malicious, and take action accordingly. Input should be validated and either rejected or sanitized immediately, carefully quarantined during use, and...
Centralizing input validation helps ensure that data is validated in a consistent way throughout the application and provides a single point of maintenance. Perform the following steps to assure that all input is...
