mailing list archives
RE: Reviewing security parameters
From: "Auri A. Rahimzadeh" <Auri () auri net>
Date: Fri, 16 Apr 2004 16:40:33 -0500
Do you guys think this script is safe?
Wow, that's a tough one. Since we're not looking at your code, I could
only bring up a few items:
1) When can we see the code? :)
2) Who's coming up with the "random" number? Is it session ID? Is it
your own randomizer? If the latter, what's the seed so that it isn't
3) What prevents people from DoSing you by sending corrupted session
data for a particular user ID and disconnecting legitimate users from
your system (you made it all-or-nothing)?
4) Watch out for the usual: sql injections, watching string lengths,
validating data types, etc. etc. That Secure Coding 2 book from
Microsoft has a lot of good stuff in it for all developers.
5) When can we see the code? :)
T.A.G. - We Are I.T.(tm)
: -----Original Message-----
: From: Pitts, Christopher C.
: [mailto:Christopher.Pitts () HaverstickConsulting com]
: Sent: Friday, April 16, 2004 2:03 PM
: To: Ilya Sher; Simon Lemieux
: Cc: webappsec () securityfocus com
: Subject: RE: Reviewing security parameters
: > Do you guys think this script is safe?
: To throw my hat in the ring. I think you really want to ask multiple
: questions rather than the blanket question you have asked. You'll get
: much better result if you realize the different pieces to securing
: application. What you've given us is a partial design spec of your
: You asked is this script safe. While I can give you a *partial*
: the *design* of the code based on what was presented, that won't
: answer your question.
: The questions I would ponder are...
: Is the design free of obvious design flaws?
: Is the development environment reasonable secure from tampering?
: Is the implementation of the design free from syntactical and security
: flaws that would otherwise compromise a secure design?
: Is the deployment environment secure?
: my .02c. I get asked this question just about everytime I walk into
: AppSec review for a client, and it takes a bit of work sometimes to
: them to realize that asking the question is a bit like asking if their
: entire network is secure.
: Christopher C. Pitts
: Sr. Consultant, Application Security
: Haverstick Consulting, Inc
: Carmel, Indiana