Security relative to source-code edition, protection and management.
0
votes
2answers
69 views
Source code disclosure vulnerability
I am a bit confused about the discussion here about hiding javascript source code. Let's say if I browse to a url like this: http://www.example.com/site/somejs.js and then what I see is something like ...
1
vote
1answer
81 views
What precautions I can take to secure software against user?
I want to build a client that connects to my server and uses server API. You can consider this as a banking application because data security is the most important thing. Since the users or hackers ...
1
vote
0answers
38 views
rootkits subverting the windows kernel source code [closed]
I just purchased the book "rootkits: subverting the windows kernel" by Greg Hoglund and James Butler for a research project at work.
However, this book constantly refers to the source code that can be ...
2
votes
2answers
70 views
What are the security risks in leaving 'sudo' inside my production code?
I have a script that can only run successfully with root permissions
But in development it's really hard to run with root permissions (in my development environment) so I add 'sudo' when ever it's ...
2
votes
2answers
48 views
Expose the source code repository externally or allow VPN access?
To allow third party consultants, offshore developers and contractors working on the code, we can expose our Git repository externally. Or we can grant VPN access to the external parties and limit ...
1
vote
2answers
69 views
Which security measures does PyPI and similar third-party software repositories take?
PyPI is a third-party software repository for Python packages. Everybody can upload packages to it (see The Python Package Index (PyPI)).
How does PyPI prevent people from uploading malware?
When I ...
2
votes
2answers
75 views
Can we verify that an app store ships the same code I have been shown?
When thinking about which messaging solution to use on my new "smart"phone I reflexively tended towards open source products, figuring that I could trust these more to actually provide the security ...
53
votes
5answers
4k views
Should security-critical code be reused or rewritten?
Usually, in programming, reusing code is always a better idea than writing your own implementation of an algorithm. If an implementation has been around for a long time and is still used by lots of ...
1
vote
1answer
73 views
Code deployment in PCI CDE
The PCI DSS v3 standard states the following:
Network Segmentation
To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that ...
13
votes
2answers
430 views
How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
How safe are signed git tags? Especially because git uses SHA-1. There is contradictory information around.
So if one verifies a git tag (git tag -v tagname), then checksouts the tag, and checks that ...
1
vote
2answers
259 views
What are main differences between Source Code Analysis vs Static Application Security Testing(SAST)?
Do these 2 terminologies refer to the same thing?
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#.NET
Some of the ...
31
votes
0answers
2k views
Can you prove that an open source program is running the same code that it claims to be? [duplicate]
So if a group has made open source software, and the source code is available on github, and is bundled with an executable in their main download, can it be proven that the executable is compiled from ...
0
votes
1answer
60 views
How can I prove to users of the software that the binaries I post match source code that's been inspected and verified by a third party? [duplicate]
If I have software that's like TrueCrypt where security is very important, but unlike TrueCrypt because mine won't mysteriously go offline for seemingly no reason at all, how can I prove that my ...
13
votes
3answers
831 views
What are the security implications of 'open-source' vs. 'source-available'?
In light of the current fiasco surrounding TrueCrypt, I have received considerable criticism from current clients and peers in the IT industry for my continued support of the open-source model. Such ...
0
votes
1answer
199 views
Are private git repositories safe?
I've heard from several people that private repository servers like BitBucket are not really safe. I've heard rumours about code being stolen and used by people even out of private repositories.
Is ...
1
vote
2answers
126 views
Open Source OS - code you see vs code you get
In this question I will use the example of Linux OS, but I am also interested in general situation.
Linux OS distributions are famous for being open source and thus rather secure. But how can you be ...
1
vote
2answers
219 views
Static code analysis strategies [closed]
Imagine: We have been given the source code of several software programs, some open source, others proprietary. What's the best strategy to analyze the source code in each case?
For example: We know ...
2
votes
3answers
213 views
What is the security flaw in the following code?
I am reading OWASP Testing Guide v3. The following passage:
Example 1: Magic Parameters
Imagine a simple web application that accepts a name-value pair of “magic” and then the value. For ...
7
votes
5answers
2k views
How can one secure a password/key in source code [duplicate]
If there is a need for source code to have a password in it, how
should this be secured? This is purely an example, but say there is an
app that is using an API, and you don't want to expose ...
1
vote
0answers
27 views
Tracking checkins from generic users
Im trying to implement a better system to monitor checkins to our repository. We have some generic users everyone can use, I have recently disallowed them from checking in as those users however there ...
0
votes
2answers
70 views
Displaying a video through the web whilst hiding the location
I felt this fit more here than SO, if not, please vote to migrate.
We've been approached by a company who would like to use our platform to host their videos. The issue is that right now, we use the ...
2
votes
0answers
1k views
AngularJS Static Analysis Tools [closed]
I am setting up a software security initiative at a small software company. Part of this is selecting a static analysis tool for early and automated detection of security vulnerabilities.
Many ...
4
votes
2answers
252 views
If Apache is configured to parse PHP can users see PHP source code?
If Apache is configured to parse PHP and not allow to index files, are there other ways users can see PHP source code, either with or without intention?
34
votes
4answers
7k views
Is using Git for deploying a bad practice?
I tend to use Git for deploying production code to the web server. That usually means that somewhere a master Git repository is hosted somewhere accessible over ssh, and the production server serves ...
3
votes
1answer
1k views
Hiding backdoors in Open Source code in other languages than C and C++?
I am referring to The Underhanded C Contest and Hiding Backdoors in plain sight. They demonstrate, that you can with some cleverness, write Open Source code, publish the code and hide a backdoor in ...
9
votes
1answer
277 views
Do the Windows shared source files compile into the same binaries as the retail version?
Microsoft makes the Windows source code available to certain third party organisations such as the US and foreign governments, universities etc. This is their Shared Source Initiative
Is this a ...
3
votes
2answers
484 views
In Visual Studio, what are the risks of simply opening an untrusted project? What are the mitigations?
I'm looking at the source code of some potentially hostile code. As usual, VS 2012 is giving me the security warning: "You should only open projects from a trustworthy source" ... "ask me for every ...
1
vote
1answer
293 views
Scan Source Code for Potential Viruses
If you are sent a program written by someone so that you have the complete source code, how would you go about scanning the source code for any potential viruses/malware?
Note: While bugs and ...
36
votes
15answers
6k views
Should we protect web application source code from being stolen by web hosts through obfuscation?
Is it worth to obfuscate a java web app source code so that the web host cannot make wrong use of the code or even steal your business? If so, how should this be dealt with? How should we obfuscate?
...
-2
votes
1answer
125 views
Am I covered with GPL If I want to share open source code of project developed in my company? [closed]
I do not know if it's the right place to ask this question. But I find that this site is the closest site in the exchange sites to ask a such question.
I m working in a company and in my job contract ...
16
votes
1answer
722 views
Is there a way to verify a binary against the sources?
It seems like there is no practical way to verify the full integrity path of precompiled and packaged software? I can check the downloaded package itself by hashes, but I have no verification if the ...
0
votes
2answers
169 views
Check integrity of GnuPG inside of GPGTools?
Is it possible to check the integrity of the GnuPG files inside of the downloaded installation package of GPGTools?
I know how to check the integrity of the .dmg file (compare the SHA1 hash), but I ...
9
votes
4answers
986 views
How dangerous is it to store password in plain text on sites like GitHub?
I have a few private repositories set up on GitHub for some of the projects I am working on for my company. These applications connect to databases and I have database authentication credentials ...
0
votes
2answers
2k views
How to protect my Exe file which written in c#.net? [duplicate]
I created one software which written in c#.net and when i created setup file .exe file will be the output but in this .exe file is ex tractable by some software and easy to access the codes.How to ...
0
votes
3answers
808 views
Password and username used to connect to database in source code [duplicate]
In PHP scripts that communicate with the database I have the username and password to the database in plain text i.e. mysqli_connect('localhost:3306', 'root', 'PASSWORD!'). From OWASP
Do not ...
0
votes
2answers
313 views
Tools to extract code comments from sites? [closed]
I often come across sites that have way to many comments included in their source code, sometimes these comments offer valuable insight into whats happening in the code, the logic of functions, unused ...
6
votes
5answers
6k views
Obfuscating JavaScript code
Some Flash developers are afraid of JavaScript. Their point of view:
Stealing JS source code is effortless, one would just 'view source' and copy it. Yes, you can decompile Flash bytecode, however it ...
1
vote
2answers
86 views
VCS to manipulate returned trees to prevent leaks? [closed]
I am wondering if there is any system that would change source code trees in subtle from version control systems in ways that are hard to discover (i.e. whitespaces at the ends of lines, perhaps even ...
2
votes
2answers
302 views
How to protect source code that resides on virtualbox web server which starts at boot?
I installed CentOS 6 on a 3gb virtualbox disk. It hosts a web server which starts automatically when the OS boots. No user login required. When it boots, it is given an IP and the host machine can ...
5
votes
2answers
754 views
What are good free opensource tools for helping in manual source code reviews? [closed]
I know tools that help in identifying security vulnerabilities in source code (static analysis tools), like Findbugs for Java or Pixy for PHP, but I would like to know good free opensource tools that ...
16
votes
4answers
4k views
Is $_SERVER[ ] a safe source of data in PHP?
Can I 100% rely on $_SERVER[] to be a safe source of data that I do not need to sanitized like I do $_GET[] and $_POST[]?
Thanks.
OVERVIEW OF RESPONSES:
So it seems there is a consensus that some ...
3
votes
2answers
370 views
Can a virus infect source code files with dangerous data?
If a user was infected with a file altering virus is it possible that checked in code (files containing text) to the source control could contain dangerous properties.
I ask this after this got me ...
5
votes
4answers
553 views
Source code auditing and fake builds
I am wondering about source code auditing and how hard it would be to fake a build to be audited? Let me explain.
Say I would be a dishonest programmer that would wish to put in some backdoor into ...
3
votes
5answers
8k views
Hiding JavaScript source code
In a web-app should one strive to hide as much of the code as possible, for example from view source? In particular I was wondering should JavaScript be hidden, especially ones used for Ajax? I was ...
-1
votes
1answer
262 views
How to prevent code injection like automatically adding extra character? [closed]
Code:
$result = "Hello World";
$jsonEncodeValue = $result;
echo $jsonEncodedValue;
Assumed Output:
"Hello World"
Real Output:
\n"Hello World"
This \n Line Feed added automatically.
For this ...
81
votes
7answers
4k views
How do I know a piece of software only does what the author claims?
Without being a programmer or a computer expert, how can I know if a particular program or any piece of software in general doesn't have hidden unwanted functions compromising privacy and security?
3
votes
2answers
3k views
Is there any decompiled source code for the “Flame”/“Skywiper” malware?
When searching for the source for Stuxnet, its relatively easy to come by in one form or another. Although I'm actually curious if anyone has done any work to comment the source and perhaps clean up ...
11
votes
5answers
496 views
Does naming sensitive things discreetly provide protection?
I had a job where a manager said he liked naming servers after places because if they were named descriptively e.g. "passwords database server" they become obvious targets. I sort of generalized this ...
7
votes
4answers
2k views
What Checkstyle or Findbugs rules detect common vulnerabilities?
Looking for experience with both built in and custom checks.
I do not need references to commercial source code analysers.
5
votes
1answer
590 views
ROP Exploitation on ARM
I was wondering about since, Ret2Libc attack doesn't works on ARM, and we have to rely on ROP for that. How different is ROP on ARM from the x86 architecture.
Are there any tools, such as mona.py ...
