Skip to main content

8 Simple Rules For Developing More Secure Code

Michael Howard's piece in the online MSDN magazine is really good.

Writing secure code is one of those things that, I believe at least, very few FoxPro developers think of. In our quest for the ever extensible application framework and product tool set, the more flexible a solution the better it is.

For example, I created a feature in an application called Form Validation - basically it was custom business rules. It could be called at a variety of hooks and "someone", typically the developer or a power user, could write their own rules. Yes, we provided several templates but if there's one thing I've learned, it's that no template ever covers the real world properly. (ok, maybe not the most important thing I've learned, but it's still true).

Now some developers may be cringing right here, thinking "you let people write their own validation code". Well, yes - because this way, we can have a nice custom solution on each customer's end that is specific to their business needs. But back to security....

How secure is that approach? Where do you put your validation code? In a DBF table! Which means that if someone really wanted to screw up your system, and knew their way around a DBF file, they could do it. Here's a validation script: ERASE *.*

or better yet
DELETE FROM CUSTOMERS

Ouch! Now you could get hurt big time!

So you put in protection. Check for any strange calls, any code like ERASE or DELETE or ZAP and more.

Of course, the downside of this is that your protection may actually slow down the operation of the code. So do you disable this feature?

I don't have the perfect answer (does anyone ever?) but I do see a lot of FoxPro developers who turn a semi-blind eye to writing secure code. Sure, they put security into their application - but that is NOT the same thing.

Michael's article is a great way of just keeping things in mind as you write code.

Comments

Eric Selje said…
Has anyone on the Internet Explorer team at Microsoft read this post?

Popular posts from this blog

Well, that explains CodePlex...

In a move that will be sure to anger open source (or rather anti-paid software, anti-Microsoft open source)  zealots, Microsoft is planning to buy GitHub . A year ago, I mused about why Microsoft would shut down CodePlex and how the world needs competing source code repositories to be strong. I'm not the only one per this Slashdot article  : "...   people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability...." - Jacques Mattheij I will be interested in seeing this play out - whether developers jump ship or not. Have all the efforts Microsoft has made in pushing towards open source be seen as genuine or will all the zealots jump ship or maybe even attack? Microsoft's comment about why they shut down CodePlex referred to how spammers were using CodePlex. Well, GitHub

Attending Southwest Fox 2019 could change your life - Find out how

Southwest Fox is coming up in October and as I do every year, I spoke with the organizers Rick , Doug and Tamar on the FoxShow. Deadlines for Southwest Fox: Super-saver price (before July 1): $695 Early-bird price (before August 1): $770 Regular price (August 1 and later): $820 This year, I took a different approach with separate shows for each organizer but the main message is still the same : July 1st is their Go/No-Go date. Conferences don't talk about this very often. I don't think developers really question if Apple will hold their WWDC in June or Microsoft will hold their Build conference - but that's because those conferences are vendor-led. Southwest Fox is a community-driven conference - it's not driven by a company with an agenda. Listen to the interviews and you can hear how important each of the organizers feel the live connection between speakers and among attendees.

Virtual FoxFest - A New Way to Conference

If you haven't been keeping up with the news around the Fox community, the Southwest Fox conference has gone digital now showing up as  Virtual FoxFest .  At $49, it's a steal and a great way to learn some new ideas and get inspired. While the reasoning for this change is fairly obvious with the year of COVID - for me, this is something that has been a long time coming. I appreciate many people's needs for a physical conference but the world is very large and it's difficult to get people from around the world into a single physical location. I recently attended a single-track conference via YouTube (a Quasar conference). YouTube's Live stream provided a very handy way to watch, rewind and communicate with people online. While Tamar, Doug and Rick are still making decisions related to the streaming platform, there are lots of great options available. I'm really looking forward to it. The FoxPro community has also really felt its international roots