Skip to main content

8 Simple Rules For Developing More Secure Code

Michael Howard's piece in the online MSDN magazine is really good.

Writing secure code is one of those things that, I believe at least, very few FoxPro developers think of. In our quest for the ever extensible application framework and product tool set, the more flexible a solution the better it is.

For example, I created a feature in an application called Form Validation - basically it was custom business rules. It could be called at a variety of hooks and "someone", typically the developer or a power user, could write their own rules. Yes, we provided several templates but if there's one thing I've learned, it's that no template ever covers the real world properly. (ok, maybe not the most important thing I've learned, but it's still true).

Now some developers may be cringing right here, thinking "you let people write their own validation code". Well, yes - because this way, we can have a nice custom solution on each customer's end that is specific to their business needs. But back to security....

How secure is that approach? Where do you put your validation code? In a DBF table! Which means that if someone really wanted to screw up your system, and knew their way around a DBF file, they could do it. Here's a validation script: ERASE *.*

or better yet

Ouch! Now you could get hurt big time!

So you put in protection. Check for any strange calls, any code like ERASE or DELETE or ZAP and more.

Of course, the downside of this is that your protection may actually slow down the operation of the code. So do you disable this feature?

I don't have the perfect answer (does anyone ever?) but I do see a lot of FoxPro developers who turn a semi-blind eye to writing secure code. Sure, they put security into their application - but that is NOT the same thing.

Michael's article is a great way of just keeping things in mind as you write code.


Eric Selje said…
Has anyone on the Internet Explorer team at Microsoft read this post?

Popular posts from this blog

Well, that explains CodePlex...

In a move that will be sure to anger open source (or rather anti-paid software, anti-Microsoft open source)  zealots, Microsoft is planning to buy GitHub . A year ago, I mused about why Microsoft would shut down CodePlex and how the world needs competing source code repositories to be strong. I'm not the only one per this Slashdot article  : "...   people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability...." - Jacques Mattheij I will be interested in seeing this play out - whether developers jump ship or not. Have all the efforts Microsoft has made in pushing towards open source be seen as genuine or will all the zealots jump ship or maybe even attack? Microsoft's comment about why they shut down CodePlex referred to how spammers were using CodePlex. Well, GitHub

Attending Southwest Fox 2019 could change your life - Find out how

Southwest Fox is coming up in October and as I do every year, I spoke with the organizers Rick , Doug and Tamar on the FoxShow. Deadlines for Southwest Fox: Super-saver price (before July 1): $695 Early-bird price (before August 1): $770 Regular price (August 1 and later): $820 This year, I took a different approach with separate shows for each organizer but the main message is still the same : July 1st is their Go/No-Go date. Conferences don't talk about this very often. I don't think developers really question if Apple will hold their WWDC in June or Microsoft will hold their Build conference - but that's because those conferences are vendor-led. Southwest Fox is a community-driven conference - it's not driven by a company with an agenda. Listen to the interviews and you can hear how important each of the organizers feel the live connection between speakers and among attendees.

eero icons - What the heck?

How to change icons used by eero.... Formerly titled: Eero router - Nicknames and icons UPDATE: Finally!!!! The most recent update to the eero now allows you to specify icons from their library. And it's a GOOD library - thank you. Finally! If you've extended your wireless network using eero , you have downloaded the app. I upgraded my network when I noticed a bunch of dead spots in what should have been a fairly reasonable coverage space (1700 sqft home). With two eero devices, our home is pretty well covered. Click on Connected devices and every device connected to your network is displayed. The eero app identifies the manufacturer and, with some devices, even the name of a given device. The eero app may also show an icon that represents its use. Some of the more obvious icons are those for phones, laptops and TVs. Unfortunately, the majority of devices get a fairly generic "wifi" icon. But you can change this. Give devices a nickname using ce