This site graciously hosted
by our friends at
In our search over the years for examples of "secure code" available on the Web, we have found a few outstanding repositories of code snippets and language-specific tips.
The companion website for Secure Programming Cookbook, by John Viega and Matt Messier--also from O'Reilly--is an excellent source for examples of good code. We recommend you check out the site, www.SecureProgramming.com, thoroughly.
You can find some good samples of the recipes available at http://www.secureprogramming.com/?action=browse&feature=recipes.
THE OWASP GUIDE AND OTHER TIPS ABOUT CGI SCRIPTS AND HTML
The Open Web Application Security Project maintains a website, http://www.owasp.org, that contains wonderful advice on how to write secure HTML. We particularly recommend the OWASP Guide, which is freely available for download from the site (and will also be published in "realcover" soon).
The data validation issues and mitigation techniques discussed in chapter 10 are especially useful. We found them online at http://beta.owasp.org/documentation/guide/current/page.ptl?book=guide.current&chapter=ch10.
For specific examples about sanitizing input to CGI scripts, we recommend CERT/CC's "How to Remove Meta-characters from User-Supplied Data in CGI Scripts". You can get it at http://www.cert.org/tech_tips/cgi_metacharacters.html. It's got good examples, in PERL and C. But please be aware that for a complete understanding of some of the surprisingly complicated troubles caused by, for example, UNICODE considerations, we recommend you study the OWASP Guide as well.
ADVICE FROM DAVID WHEELER
Another outstanding online resource for examples of secure coding is the "Secure Programming for Linux and UNIX HOWTO", by David Wheeler. It's available online at http://www.dwheeler.com/secure-programs.
While the entire volume is strong, we liked particularly David's discussion of making safe temporary files in C. It's at http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html#ATOMIC-FILESYSTEM.
Also very useful are the language-specific hints we list below. Most include sample code fragments.
We'll include in this section a few notes that come from other, disparate sources.
For information on how to write PERL securely, see the perlsec(1) document at, for example, http://www.perldoc.com/perl5.8.0/pod/perlsec.html. It contains detailed information about "TAINT" mode, some excellent design tips, and more.
Davaid LeBlanc of the Microsfot Development Network just recently published an interesting article concering integer overflows in C++, which includes a new SafeInt class. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp for details.
If you are aware of other very cool repositories, or wish to nominate some samples you found (or wrote), please drop us a line. (But please first check out the "Bibliography and Links" section, where we point to dozens of fine sites).
Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.