Security relative to source-code edition, protection and management.
5
votes
2answers
106 views
What are good free opensource tools for helping in manual source code reviews? [closed]
I know tools that help in identifying security vulnerabilities in source code (static analysis tools), like Findbugs for Java or Pixy for PHP, but I would like to know good free opensource tools that ...
5
votes
4answers
629 views
Is $_SERVER[ ] a safe source of data in PHP?
Can I 100% rely on $_SERVER[] to be a safe source of data that I do not need to sanitized like I do $_GET[] and $_POST[]?
Thanks.
OVERVIEW OF RESPONSES:
So it seems there is a consensus that some ...
3
votes
2answers
149 views
Can a virus infect source code files with dangerous data?
If a user was infected with a file altering virus is it possible that checked in code (files containing text) to the source control could contain dangerous properties.
I ask this after this got me ...
5
votes
4answers
254 views
Source code auditing and fake builds
I am wondering about source code auditing and how hard it would be to fake a build to be audited? Let me explain.
Say I would be a dishonest programmer that would wish to put in some backdoor into ...
4
votes
3answers
813 views
Hiding JavaScript source code
In a web-app should one strive to hide as much of the code as possible, for example from view source? In particular I was wondering should JavaScript be hidden, especially ones used for Ajax? I was ...
-1
votes
1answer
94 views
How to prevent code injection like automatically adding extra character? [closed]
Code:
$result = "Hello World";
$jsonEncodeValue = $result;
echo $jsonEncodedValue;
Assumed Output:
"Hello World"
Real Output:
\n"Hello World"
This \n Line Feed added automatically.
For this ...
68
votes
7answers
3k views
How do I know a piece of software only does what the author claims?
Without being a programmer or a computer expert, how can I know if a particular program or any piece of software in general doesn't have hidden unwanted functions compromising privacy and security?
2
votes
1answer
387 views
Is there any decompiled source code for the “Flame”/“Skywiper” malware?
When searching for the source for Stuxnet, its relatively easy to come by in one form or another. Although I'm actually curious if anyone has done any work to comment the source and perhaps clean up ...
10
votes
5answers
406 views
Does naming sensitive things discreetly provide protection?
I had a job where a manager said he liked naming servers after places because if they were named descriptively e.g. "passwords database server" they become obvious targets. I sort of generalized this ...
8
votes
4answers
365 views
What Checkstyle or Findbugs rules detect common vulnerabilities?
Looking for experience with both built in and custom checks.
I do not need references to commercial source code analysers.
5
votes
1answer
155 views
ROP Exploitation on ARM
I was wondering about since, Ret2Libc attack doesn't works on ARM, and we have to rely on ROP for that. How different is ROP on ARM from the x86 architecture.
Are there any tools, such as mona.py ...
7
votes
7answers
204 views
Proving running code on a website is unchanged
Can it be proved to the user that the running code behind a website with security related code is the same as published?
I'm currently looking at a few new project ideas and one involves secure ...
-2
votes
1answer
354 views
Changing user account passwords from PHP script - vulnerabilities? [closed]
I started a thread a while back asking for suggestions on a good (good=fairly secure) way to allow users to change their account passwords via a PHP script. (WHY? because on this particular server, I ...
1
vote
2answers
345 views
Are there any free static analysis tools for C# / .NET code
A client recently asked me to perform a code review on C# code. As an independent contractor I was wondering what are the automated solutions out there where I would not have to break the bank to ...
0
votes
0answers
101 views
Examples of vulnerabilities being changed in only one (of many) places [closed]
I'm looking into source code analysis and was wondering if folks know of examples, in open source projects, of vulnerabilities where there were multiple "very similar" vulnerabilities in the same ...
