Home > Information Security Magazine > Features > Safety Net
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Safety Net
by Eric Cole
Issue: May 2006
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Figure 2 [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Preventing Buffer Overflow

[IMAGE]
The code first attempts to parse the data and capture it from the user. The line that begins with "catch" detects the buffer overflow exception. The remaining lines will display an error message telling the user why the input has been rejected.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

Security Made Easier
Security, until recently, hasn't been a primary concern for developers, who are under pressure to make sure that application features work properly and, most importantly, are delivered on schedule.

The result has been exploitable vulnerabilities, typically due to improper error-checking. For example, attackers can engineer a buffer overflow if the developer allocates "x" amount of memory but doesn't build in checks to ensure that amount isn't exceeded; attackers can enter in "x-plus" of information, overwrite the return pointer and cause their own malicious code to be execut...



ed. Or, if attackers can enter, say, more than the eight digits of a requested account number, they can simply append a semicolon and write in an additional statement to execute a SQL injection attack.

While you can write extensive error-checking code to stop this, the code can be complex, time consuming and prone to mistakes.

.NET makes it much easier to integrate error-checking into the program without extra coding by allowing you to set parameters on memory checks. Further, .NET will alert the programmer during code compilation if no parameters have been set (see Figure 2).

Consider another example of how .NET makes it easy for developers to build secure code from the start: Since HTTP is stateless, e-commerce applications require developers to add session IDs and mechanisms to track state. This creates extra work for the developer and a possible avenue for errors to be introduced.

With .NET, adding an attribute, "trace=true," at the page level will automatically track request details: trace information, control tree, session state, cookie collection, header collection and server variables.

No Guarantees
There is, of course, much more to .NET security. Among its other strengths are built-in features to implement cryptography for both data at rest and data in transit.

But, while .NET provides the framework for strong and deep security on the Web, corporate polices and practices--not robust tools--are the keys to bulletproofing Web apps. If you make embedded security policies and testing parts of your development work flow, .NET will reward your efforts.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts