12Jan/090

Top 25 Dangerous Programming Errors

Presenting the "CWE/SANS TOP 25 Most Dangerous Programming Errors" (more detail and pdf available here ).

This is an excellent, excellent list of very common programming errors that can and should always be easily avoided by the use of common sense and paying attention to what we're doing. They're presented in three categories: Insecure Interaction Between Components (think XSS), Risky Resource Management, and Porous Defenses.

CATEGORY: Insecure Interaction Between Components

  • CWE-20: Improper Input Validation
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
  • CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
  • CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-362: Race Condition
  • CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management

  • CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642: External Control of Critical State Data
  • CWE-73: External Control of File Name or Path
  • CWE-426: Untrusted Search Path
  • CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
  • CWE-494: Download of Code Without Integrity Check
  • CWE-404: Improper Resource Shutdown or Release
  • CWE-665: Improper Initialization
  • CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses

  • CWE-285: Improper Access Control (Authorization)
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259: Hard-Coded Password
  • CWE-732: Insecure Permission Assignment for Critical Resource
  • CWE-330: Use of Insufficiently Random Values
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-602: Client-Side Enforcement of Server-Side Security

Read the full article and please use this list on your next software project. If you need further information and/or assistance in securing your code, OWASP is a great resource, check them out and help to support them.

Filed under: Security No Comments
11Jan/09Off

CSS Opacity Tip

I just found a nice simple list of basic css tips, and right away found one tip to put to use in this blog: opacity. I initially struggled with getting the opacity to look right in this design, and thought I had it solved, but now I see that there are other older browsers I wasn't accommodating. If only all browsers behaved the same...

.class {
    opacity: 0.7;
    filter:alpha(opacity=70);
    -ms-filter:alpha(opacity=70);
    -moz-opacity:0.7;
    -khtml-opacity:0.7;
}

I had the first two, opacity and filter:alpha, but didn't know about the other three.

Learned something new today!  :-)

Filed under: Design Comments Off
4Jan/091

Adobe Flex and Linux

Dear Adobe, Please Support Linux....

I prefer Linux over Windows and have preferred Linux for many years. The notebook computer that I use most of the time is running Ubuntu Linux . Linux has the tools I need. Linux, in particular, has the programming and networking tools that I need. Linux is just simply a superb environment for programming.

Adobe Flex is ActionScript programming. The Adobe Flex Builder, an IDE for building Flex applications, is based on Eclipse. Eclipse is an IDE that runs on many platforms, including Linux. Flash runs just fine on Linux (though Adobe has historically been somewhat slow to keep the Linux version up-to-date). I use Eclipse every day. I use Linux every day. I'm new to Flex, but find it fascinating and want to use Flex Builder.

To sum this up, Linux is an ideal programming platform, the tools required for Flex development (Flash and Eclipse) run happily under Linux independently, so why oh why is the Flex Builder not available for Linux?

I downloaded the trail version of Flex Builder to play around with, but to use it, I'm running VMware and have it installed in a Windows XP VM on my Ubuntu laptop – a painful, excruciating situation. So I ask Adobe to please, please, please let your Flex Builder run on Linux, too.

As soon as Adobe adds Linux support, I promise to be first in line to purchase Flex Builder for Linux.

Filed under: Programming 1 Comment
21May/080

Car Computers Need Reboot, Too

My Honda Civic Hybrid Needed a Reboot

To say I was surprised is a slight understatement. I take it for granted that computers need periodic reboots, most especially computers that run the Windows operating system, but it never occurred to me that my car might need one, too.

Honda Civic Hybrid

First the mysterious symptoms:

In city driving I noticed that very suddenly my battery charge would drop down to one bar or even none and the car would start acting very sluggish. This was even more likely to happen when the air conditioning was on but could also happen without a/c or heat on. Always the batteries would charge back up quite quickly, though, so it was never hazardous. This never ever happened during freeway driving. It also wasn't consistent in city driving, it only happened on some certain drives, leading to my being perplexed and wondering if it was something I did while driving.

The event that sent me to the dealership: suddenly my air conditioning stopped working. I immediately suspected that might be related to the batter power problem, so I took the car in at the earliest opportunity.

Filed under: Geekery Continue reading
17May/08Off

Life Without Cygwin Would be Rough

That headline may be a little overkill, but I depend on Cygwin for so much and yet I take it for granted. At home, I do all of my web surfing, studying, experimenting, everything on Linux and find that I always have the tools I need for whatever I'm working away at. Linux distributions — always the perfect tools for every job. When I go off to my place of employment, that environment is a rude awakening. My development desktop is Windoze (gasp!), Windows 2000. Cygwin is the perfect tool that makes toiling in Windows tolerable.

Mind you, the majority of the software development that I do on a daily basis is platform agnostic, being Java, Python, etc. I could easily do my job on  Linux desktop. It's the corporation that prefers that I use Windoze for Word, Excel, Outlook, you know, the usual applications, and I admit that I haven't fought the system and begged for a good Linux desktop. That's because one of the first things I did when I started this job was to download Cygwin! If I didn't have Cygwin, then it would be a different story altogether, but so long as I can have that, I can get by quite happily.

And so on to my point — I would be miserable without it and would incessantly complain about my sorry state of affairs being stuck on a Windows platform. I know, the GNU coreutils are available for Windows, and a number of other great tools, too, but those don't compare with Cygwin in my opinion. With Cygwin, I have a full bash shell and my usual load of scripts, I have sshd and crond (both as Windows services - that still tickles my funny bone), I have a seemingly endless number of packages I can install if the urge strikes.

I don't understand why more people don't depend on Cygwin to get their job done. I just can't comprehend it. Anyway, one day this week someone was asking me about it and that made me think how much I depend on it and take it for granted, so I thought I'd just put in this little recommendation. If you've never tried it, give it a shot. It's a big application, depending on how many packages you choose to install, and the graphical (sort-of) installer takes some getting used to, and it's slow to download and install, but it's worth the time and effort. You won't be disappointed.

Filed under: Geekery Comments Off
 « Newer Entries  Older Entries »
twitter delicious
safe to click,
no evil Javascript on these links

Menu

Ubuntu Linux

Gentoo Linux

LinuxChix button

Recent Posts