Unofficial Application Programming Guide
This application programming guide outlines some basic security issues to keep in mind when developing applications and performing code reviews. It specifies several areas of application to consider including user input, program file dependencies and system settings, accounts and passwords, storage of data, and program operation and functionality. This application programming guide is intended to provide a brief list of security areas and items to consider while developing or reviewing code.
1.0 User Input
Through the network
Consider all methods that input from the user is received by the program.
Consider SQL command statement injection into the user input
Consider possible escape characters, special characters, quotes, semicolons, colons and other special characters in the user input that the program may process differently or improperly.
How will the program handle the user leaving input values blank?
How will the program handle input of illegal values such as negative numbers which should cause error messages?
Prevent buffer overflow by limiting length of user input whether through forms or other communication such as through the network.
Can the source of the data or program input be faked?
If the data or program input is not available, how will the program handle it?
2.0 File dependencies and system settings
Types of files the application may use:
System environment variables
Command line switches and program settings
Check for success or failure when accessing:
Libraries such as system libraries used to support code.
Configuration files or other files such as data files for reading or writing.
Other executable files.
Check for file corruption or wrong version, or unauthorized file modification when possible. Ways to know if the file is modified or corrupt is to do a CRC check, examine the size and date of the file to tell if it is correct.
Can any unusual program settings or command line switches cause unpredictable program behavior?
Be aware of what information is stored in local or remote files, the system registry, or in the system environment or other system files that the program either depends on, modifies, or can change the behavior of the program. Ask:
Is this information sensitive?
If it is changed without authorization, can it affect the security of my program or data?
Can unauthorized persons change these registry values, environment values, or other system files without proper access?
If a file is corrupt how can my program or data be affected? Can the program test the file to tell whether it is corrupt?
Can the program be fooled into using a file with the same name in a different directory than the intended file due to the environment path as it is used to search for files?
3.0 Accounts and Passwords - access
Are test accounts still active in the application when it is made public?
Are default accounts and passwords known which may allow unauthorized access?
Are all undocumented accounts removed from the program?
Where are accounts and passwords stored and are they encrypted?
How many levels of access exist and is data sensitive?
Cookies - Be careful about what data you have your application store in cookies. Consider these possibilities:
A browser vulnerability allows an attacker to get all client cookies.
Cookies are sniffed by an attacker while traveling over the internet.
Someone unintended read the cookies while stored in the client computer temporary folder.
Temporary data storage
Does the program store sensitive data in temporary files directly or indirectly using system calls?
Does the program store sensitive data in memory?
5.0 Program operation and functionality
Are the ports opened by the application intended to be open and is input and output through them handled securely? Is the input protected against buffer overflow, SQL or special data injection, and malformed input?
Can the application open additional ports and will this compromise security?
Testing procedures and loadable modules
Are testing procedures and loadable modules either removed or made secure?
Can any test code be used to bypass normal authentication or security controls?
Can program functionality or commands be executed over and over in an effort to ultimately deny service to users?
How many methods can be used to execute a program function and are all these methods secure?
Are testing procedures and loadable modules either removed or made secure? Can any test code be used to bypass normal authentication or security controls?
Program security checks
When the program checks data, can an attacker substitute false data?
Is there enough time between when the data is checked to when the data is used for an attacker to substitute false data?
6.0 Error Checking
Provide least privilege in the case of an error - When testing for errors in a process, if the exact condition is not met, do not allow the action to take place. For example if testing to determine whether user access is allowed to some program function, do not allow the operation only if access is denied.
Only allow the operation if access is allowed. This way if an additional error occurs such as a buffer overflow or a library is not available, security is not compromised.