Security relative to source-code edition, protection and management.
2
votes
2answers
2k views
Pen Tester's Programming Style [closed]
I recently graduated and now work as a software developer but at some point in my career, I would like to transition into Penetration Testing.
I know that pen testers sometimes write their own tools ...
2
votes
5answers
122 views
What are safe solutions to protecting important credentials in source code [duplicate]
I am doing some Java work for a company that has some code that they want protected in an application that they are giving to their customers.
For example what if you have information such as FTP or ...
0
votes
1answer
43 views
3rd Party Vulnerabilities Fix (Access to source code vs no access to source code)
I've embedded system software with listed vulnerabilities from a static code analyser tool. Since it is an embedded system, and I don't have access to some of the source code (being 3rd party) for ...
0
votes
0answers
26 views
what are the security risks with subprocess_popen_with_shell_equals_true
I understand that [subprocess.Popen(shell=True)] can execute arbitrary commands but if user controlled input isn't going in Popen then still shell=True should be considered safe or not?
I mean why ...
1
vote
0answers
10 views
Is it safe to build and untrusted Sphinx document?
We would like to build a kind of wiki engine and Sphinx seems like the perfect tool for our project, given a complicated list of requirements we have.
So the question is how safe it would be to run ...
0
votes
2answers
274 views
Protect Node.js Server Code
Situation/Enviorment:
I have a project written which's core is an NodeJs Web- and API-Server. I'd like to sell it to multiple clients, they will host the server on their system.
Problem:
The NodeJs-...
4
votes
1answer
190 views
Monitoring Github/Internet for source code leaks
We teach an online course and would like to issue takedown notices if source code for our projects are made publicly available.
Is there a way to automate a periodic online search for any code that ...
1
vote
1answer
123 views
How can I ensure that my Python web application source code is secure?
Note: I'm new to information security practices so feel free to point out anything I could be doing better.
Situation: I'm creating a web application that runs a Python program as part of the back ...
2
votes
3answers
386 views
How to prevent source code theft in web application development
I'm developing a webapplication working with PHP, SQL DB and other technologies. I'm always considering someone stealing the source code or using it to other means.
How can you prevent someone from ...
5
votes
2answers
81 views
Patterns for searching a source repository for private data
I recently discovered a case where a colleague had accidentally committed their login credentials (host, username, and password) to a local source code repository, and then pushed these changes to a ...
0
votes
3answers
184 views
Detection of abnormal file access patterns
A company allows its developers access to snapshots of their entire codebase through a local network share. In order to perform their job, the developers compile code daily, where each compile reads a ...
0
votes
1answer
87 views
Security of a desktop application's source code [closed]
How easy is it to get the source code from a desktop application?
Are there any protections in place to stop someone from viewing an application's code?
1
vote
0answers
18 views
Snort Modules Tweaking
I want to tweak and add new functionalities to snort code(Preprocessor)(v2.9.8).
So,i have installed snort using source code,on ubuntu 14.04,however due to unknown problems,functionalities aren't ...
1
vote
0answers
38 views
What is the iOS securecoding feature, and what risks does it mitigate?
iOS 6 and newer allows for developers to implement a secure coding method that seems to prevent impostor objects from being de-serialized
Can anyone explain what this would actually protect to the ...
4
votes
5answers
238 views
How to verify if a source code is safe before compiling it?
Sometimes Linux users need to to download a source code to be compiled then executed (the root privileges is granted).
Is it possible for a source code to hide malicious code as a part of it? And how ...
1
vote
2answers
291 views
How can i read the source code of this encoded powershell script from the registry?
I get this line by ProcessExplorer
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile
-windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]...
0
votes
2answers
110 views
Is any systematic method that can detect weak cryptographic algorithm in source code
Weak cryptographic algorithm should be removed from source code to avoid a false sense of security(for example: MD5. Of course, there is possibly the algorithm in source code, but it doesn't use the ...
-2
votes
1answer
174 views
How can startup companies protect their code from any intentional leakage? [duplicate]
So, how can new companies that have just started protect
their source code from leaking by their employees?
If it is a new company that means that the source code of the product is not so big and
...
1
vote
1answer
150 views
Is using IsBadReadPtr and IsBadWritePtr considered to be insecure?
I am auditing (reverse engineering) an x86 C++ application without source code.
Static analysis revealed that the application is using the IsBadReadPtr and IsBadWritePtr Win32 functions in almost ALL ...
2
votes
0answers
65 views
How often are codebases compromised? [closed]
I'm currently trying to research which get compromised more often; databases or codebases? My guess would be that databases are the obvious answer and most of the time easier to compromise, because of ...
1
vote
1answer
86 views
How to check third party code for Security? [closed]
This may be a very broad question. I am a software developer and from time to time we use third party components which may / may not be secure.
Are there any basic things that I should check the ...
28
votes
2answers
3k views
Identifying the author(s) of a piece of malware
When a new piece of malware appears, people can try to determine where it comes from, and who its authors could be.
How do security experts attempt to identify the authors of a new publicly disclosed ...
48
votes
6answers
11k views
How do large companies protect their source code?
I recently read the canonical answer of our ursine overlord to the question on How do certification authorities store their private root keys?
I then just had to ask myself:
How do large companies (e....
6
votes
1answer
51 views
Safely Experimenting With Sockets
I'm learning about TCP/IP and (Berkeley/UNIX) socket programming. Let's say I have two scenarios:
1) I write two programs in C, a client and a server, and bind them each to a non-well-known port on ...
-1
votes
2answers
158 views
How do researchers identify vulnerability in closed source software? [closed]
Came across an article, it is about the new BadWinmail vulnerability in Outlook. Being a closed-source software, how do researchers manage to point out that Outlook is not sandboxing the flash?
Is ...
3
votes
1answer
293 views
When can I commit an OpenSSL Certificate (.pem) to source control?
That is to say, in what cases does it make sense to commit .cer files, or a stack of .cer files in a .pem, to internal source control like SVN or Git?
If it's just a list of signed public keys, I ...
65
votes
7answers
9k views
Does one need to be a good programmer to perform secure source code analysis?
A person has good knowledge of overall security risks, knows what OWASP Top 10 vulnerabilities are, and has certifications like CEH, CISSP, OSCP, etc. which are more black-box testing. And also he has ...
2
votes
2answers
478 views
Way to find security bugs in Scala source code open-source way?
I looked on Web to find way for finding security bugs specially SQL Injection and XSS in Scala code with little success. Some posts recommended to write custom detectors for FindBugs plugin, others ...
20
votes
5answers
5k views
When can I commit a Private Key to source control?
That is to say, in what cases does it make sense to commit an unencrypted keypair to internal source control like SVN or Git?
Related question that discusses an encrypted private key: Is it bad ...
0
votes
0answers
254 views
Unable to do transformation of findbugs xml reports due to integration issue with findsecbugs plugin
I am trying to integrate the find-security-bugs plugin for findbugs using maven. I am able to run findbugs with maven and perform transformation from xml to html without any issue. I am able to run ...
1
vote
0answers
207 views
Findbugs Source Code Analyzer not able to detect vulnerabilities in JSP file?
I am using FindBugs to do source code analysis along with Find Security Bugs plugin to specifically detect security vulnerabilities like SQL Injection, XSS, etc. I installed the FindBugs plugin for ...
0
votes
1answer
216 views
Having trouble with FindBugs exclude filter
I installed FindBugs plugin in Eclipse for Source Code Analysis with FindSecurityBugs plugin to find out security issues with the code. I want to filter out certain false positives and want to exclude ...
0
votes
1answer
62 views
Security of Data and Source Code in a 3rd Party Hosting Environment [closed]
What expectation should I have for the security of my data and codebase hosted with a 3rd party e.g. godaddy, or any other similar hosting provider.
How common is it that some IT employee within the ...
2
votes
0answers
712 views
Any worthy open source Java Source Code Analysis tool from finding Security Vulnerabilities perspective? [closed]
I have been breaking my head to find out real good Open-source Source Code Analysis tool which can uncover security vulnerabilities. I did an extensive search on web and found out three major links ...
4
votes
1answer
291 views
How could a publicly available stream cipher (RC4) be kept secret so long?
I'm reading about the cryptographic function called RC4.
Apparently, its method was kept secret from 1987 until 1994 despite being available to the public for licensing and use.
How did it stay ...
5
votes
2answers
410 views
Keeping passwords out of source code
Secrets should not be in source code and in version control because of two reasons:
External threat: An attacker can exploit a vulnerability to get access to files/source of your website/application. ...
4
votes
1answer
241 views
Never heard of compiler vulnerabilities when compiling?
Does there exist any real source code that exploits a compiler vulnerability? I mean code that during compilation causes a buffer overflow in the compiler resulting in execution of arbitrary code.
...
3
votes
1answer
43 views
Solution for Enterprise SW Eng. with Github and NPM [closed]
Can anyone share an architecture or framework that supports the use of Open Source software in enterprise software development environments?
I'm seeking solutions to manage and mitigate the risk of ...
7
votes
2answers
99 views
Searching vulnerabilities via similar code comparison. Is it a viable attack vector?
Consider the following scenario:
the attacker scans (optimally automatically) open codebases (eg. GitHub) for vulnerable code fragments by checking bug reports and patches.
the attacker scans for ...
8
votes
1answer
426 views
Are there any type safe languages with deterministic compilers?
This article about BIND9 concludes with the statement:
The point I'm trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this ...
5
votes
2answers
428 views
Source code scanning - PCI Requirement - Service Provider
I've been doing a lot of research regarding the requirements for source code scanning but haven't found anything conclusive when it comes to my question below. So I need some guidance from PCI Experts ...
1
vote
2answers
103 views
Can pre-compiled binaries be different than if someone builds from source himself?
Given that I have an "acceptable" source code of some program (Tor was mentioned in a previous version of this question), where "acceptable" means that I trust this source code and want to use it for ...
0
votes
1answer
225 views
Source code of Firefox Add-ons
How can I be sure that a browser add-on that is released under the GPL is actually really using the source code that was published?
I read somewhere that the source code of Chrome add-ons is viewable ...
25
votes
6answers
5k views
Source code as password
Passwords with a mixture of letters, numbers, and special characters are sometimes hard to remember. Is it secure to instead use a small amount of memorable source code as a 'passphrase'?
As an ...
1
vote
0answers
91 views
Vetting new IT development staff [closed]
In the realm of software development what would be the best way to vet prospective employees?
We handle potentially sensitive information, and a code base which could be potentially lucrative to ...
4
votes
6answers
2k views
Software Testing vs (Web) Penetration Testing
I would like to ask about the differences between Software Testing and Web Application Penetration Testing.
I am aware of usage different tools in both disciplines Software Testing (JIRA/Selenium) ...
3
votes
1answer
161 views
How to set up a multi-developer environment with emphasis on source code security?
One of my clients runs a small software development company (15 employees) with PHP as their sole server side development language. They are having a networked environment with all the computers ...
0
votes
2answers
2k views
Source code disclosure vulnerability
I am a bit confused about the discussion here about hiding javascript source code. Let's say if I browse to a url like this: http://www.example.com/site/somejs.js and then what I see is something like ...
1
vote
1answer
185 views
What precautions I can take to secure software against user?
I want to build a client that connects to my server and uses server API. You can consider this as a banking application because data security is the most important thing. Since the users or hackers ...
2
votes
0answers
294 views
rootkits subverting the windows kernel source code [closed]
I just purchased the book "rootkits: subverting the windows kernel" by Greg Hoglund and James Butler for a research project at work.
However, this book constantly refers to the source code that can be ...
