Skip to main content

8 Simple Rules For Developing More Secure Code

Michael Howard's piece in the online MSDN magazine is really good.

Writing secure code is one of those things that, I believe at least, very few FoxPro developers think of. In our quest for the ever extensible application framework and product tool set, the more flexible a solution the better it is.

For example, I created a feature in an application called Form Validation - basically it was custom business rules. It could be called at a variety of hooks and "someone", typically the developer or a power user, could write their own rules. Yes, we provided several templates but if there's one thing I've learned, it's that no template ever covers the real world properly. (ok, maybe not the most important thing I've learned, but it's still true).

Now some developers may be cringing right here, thinking "you let people write their own validation code". Well, yes - because this way, we can have a nice custom solution on each customer's end that is specific to their business needs. But back to security....

How secure is that approach? Where do you put your validation code? In a DBF table! Which means that if someone really wanted to screw up your system, and knew their way around a DBF file, they could do it. Here's a validation script: ERASE *.*

or better yet
DELETE FROM CUSTOMERS

Ouch! Now you could get hurt big time!

So you put in protection. Check for any strange calls, any code like ERASE or DELETE or ZAP and more.

Of course, the downside of this is that your protection may actually slow down the operation of the code. So do you disable this feature?

I don't have the perfect answer (does anyone ever?) but I do see a lot of FoxPro developers who turn a semi-blind eye to writing secure code. Sure, they put security into their application - but that is NOT the same thing.

Michael's article is a great way of just keeping things in mind as you write code.

Comments

Eric Selje said…
Has anyone on the Internet Explorer team at Microsoft read this post?

Popular posts from this blog

Well, that explains CodePlex...

In a move that will be sure to anger open source (or rather anti-paid software, anti-Microsoft open source)  zealots, Microsoft is planning to buy GitHub.

A year ago, I mused about why Microsoft would shut down CodePlex and how the world needs competing source code repositories to be strong. I'm not the only one per this Slashdot article :
"...people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability...." - Jacques Mattheij

I will be interested in seeing this play out - whether developers jump ship or not. Have all the efforts Microsoft has made in pushing towards open source be seen as genuine or will all the zealots jump ship or maybe even attack?

Microsoft's comment about why they shut down CodePlex referred to how spammers were using CodePlex. Well, GitHub has its own …

FoxInCloud Stats

FoxInCloud sent this link a while back about their statistics regarding visits to their site:

http://foxincloud.com/blog/2017/12/27/VFP-community-lessons-from-foxincloud-site.html



What's interesting here is the breakdown of people. Yes, I think it's understandable that the Fox community is getting older.

Another factor is the growth of the mobile and web environments taking over development. These environments really do push people towards the newer non-SQL or free SQL/hosted environments but more towards hosted storage options like Amazon and Google. A tool like FoxInCloud that helps MOVE existing applications to the cloud inherently competes with those environments.

But FoxInCloud also allows developers to extend their application further by giving them a starting point using Javascript and the basic CSS (such as Bootstrap). If you're not rebuilding your application from scratch, it's certainly a great step forward.

Attending Southwest Fox 2019 could change your life - Find out how

Southwest Fox is coming up in October and as I do every year, I spoke with the organizers Rick, Doug and Tamar on the FoxShow.

Deadlines for Southwest Fox:
Super-saver price (before July 1): $695
Early-bird price (before August 1): $770
Regular price (August 1 and later): $820
This year, I took a different approach with separate shows for each organizer but the main message is still the same : July 1st is their Go/No-Go date.

Conferences don't talk about this very often. I don't think developers really question if Apple will hold their WWDC in June or Microsoft will hold their Build conference - but that's because those conferences are vendor-led.

Southwest Fox is a community-driven conference - it's not driven by a company with an agenda. Listen to the interviews and you can hear how important each of the organizers feel the live connection between speakers and among attendees.