TopazPort TopazPort http://topaz.net/5344 Mon, 05 Jan 2009 22:44:58 -0400 FeedCreator 1.7.2 What's your job? http://topaz.net/7396/What_s_your_job This may seem like a silly question to some, but I think it's often easy for us to forget what our job really is. I'm going to write this from the perspective of a Software Developer, but it applies equally well to all job functions.

As programmers, we have often been tricked into thinking that we should be writing code all the time and anything less and were not being productive enough. I know I often struggle between writing code which I enjoy, have some skill in, and can easily see my results and doing other important project tasks.

When I was working on Word for Windows 6.0 (and there's a whole 'nother story about why it was numbered 6.0 rather than 3.0, since it followed Word for Windows 2.0 the short quote is 6 is larger than 3) Chris Peters (who has since left Microsoft and brought the PBA back into prominence) at one of our team meetings made it clear to us that, in order to ship Word 6.0 we needed to remember that our job wasnt to write code or test code or any of those things. Our job was to ship Word 6.0. Now often that would mean, as developers, we should write some code (or fix some bugs) but we needed to think each day about what we could do that day to help ship Word 6.0. Some days that would mean not writing new code (and new code is the worst it has to be tested, localized, documented, etc.). Sometimes, the best way to finish the project would be to talk with our program manager and see about cutting a ...

]]> David McKinnis topazgroup Fri, 01 Aug 2008 15:45:57 -0400 http://topaz.net/7396/What_s_your_job Never trust user input http://topaz.net/7229/Never_trust_user_input One of the most common security issues I see in code from new web developers (and even some experienced ones) is not sanitizing user input. They trust user input to have always come from a non-adversarial user interacting with the site through a web browser. Given the HTTP(S) protocol, there is absolutely no reason this needs to be the case. There are lots of ways a mischievous person can send data to your website by going through the browser, or by not using a browser at all. Even users who are not trying to be malicious can cause you trouble.

Sanitizing Input Strings

Most developers are aware of SQL Injection attacks and know how important it is to sanitize input strings such as names, email addresses and any other content. (kxcd has a very funny cartoon about such exploits). Steve Friedl has a good article on how attackers find such holes in your applications. It's critical for web application security that you make sure inputs are properly escaped before using them in database queries. Perhaps in a future post I'll talk about some strategies for doing that more effectively. And remember that you must sanitize all input, not just strings. Sure, you have a <select> list to allow the user to pick which type of pizza they want and you've given them numbers (1 = cheese, 2 = sausage, 3 = veggie combo, etc.) but that doesn't stop someone from sending you a request where the pizza type is a string with instructions to change the admin email address to their own.

Preventing Problematic Output

But it's not just SQL Injection attacks we must be concerned about with sanitizing user input. What happens to your application if a user can put HTML in their ...

]]> David McKinnis topazgroup Fri, 20 Jun 2008 12:19:17 -0400 http://topaz.net/7229/Never_trust_user_input Why am I Blogging? http://topaz.net/7149/Why_am_I_Blogging A reasonable question to ask really.

My main audience at this point is the development staff at Topaz Group. We are separated both by space and time. By space, because we are spread out and do not share offices or even the same area code. By time because I know there will be new developers coming after me, some of whom may join only after I leave. And while there will be development documents and design documents that may be private, I also want to write about how one does a good job of developing software.

Obviously, by making this public, I also hope that there will eventually be other readers (and, once we advance the tool some, we'll even turn on comments so you can make yourselves known). As with the Topaz Group developers, I would hope that I have some words of wisdom to new developers.

I've been in the business of developing software for over twenty years now (and "writing computer programs" for over thirty years if you take a broad definition of that phrase. Perhaps later I'll write down some of my early experiences for historical sake) and I've had the opportunity to learn from some remarkable people and make some mistakes, which helps the learning process. So, I'd like to pass on that learning to whomever is interested. Hopefully you'll find some of it useful and you'll come back to read more.

 

 

]]> Alberto Molina topazgroup Fri, 30 May 2008 17:03:06 -0400 http://topaz.net/7149/Why_am_I_Blogging Book Review: Secure Coding: Principles and Practices http://topaz.net/7148/Book_Review_Secure_Coding_Principles_and_Practices

Last time I reviewed one of two books on security that I had recently read. This time I'll review the other book - Secure Coding: Princeiples & Practices by Mark G. Graff and Kenneth R. van Wyk (and published by O'Reilly which puts out excellent books in general).

This is a great book which I would recommend developers, testers and managers read. Even operations folks could get something out of this book. It's a different book from the Security Development Lifecycle in many ways. It's shorter and doesn't provide the step-by-step methods that SDL does. It is very easy reading, with just a few coding samples. It provides some great real-life examples of security flaws and some creative solutions.

Graff and van Wyk give you a lot of things to think about and some problems to avoid and ways to do things right.

One of their better suggestions is to come up with a metaphor of your application (or a particular feature) when you are designing the architecture. Rather than thinking about people making seat reservations (for an on-line ticketing system, for example) come up with a different model and think about how someone might attack that. Because, they point out, someone attacking you isn't necessarily following your model and architectural security flaws are the most difficult to solve.

This is another book I'd suggest you read and have on your shelf.

]]> Alberto Molina topazgroup Fri, 30 May 2008 16:40:42 -0400 http://topaz.net/7148/Book_Review_Secure_Coding_Principles_and_Practices Book Review: The Security Development Lifecycle http://topaz.net/7087/Book_Review_The_Security_Development_Lifecycle Security is something that is very important in all kinds of applications today. I have many more articles I want to write about security (particularly since we fixed a recent security hole). I'm going to start, however, with a review of one of two books I read recently on security. The book - The Security Development Lifecycle, by Michael Howard and Steve Lipner - steps you through the Microsoft process of creating more secure software. I used to work at Microsoft, but left shortly before the SDL process was instituted, so I haven't seen how this process worked there. But, as the authors point out, if you look at how Microsoft has improved its reputation for security issues over time, this process has some real value.

The meat of the book (Part II)  is an explanation of the stages of the Security Development Lifecycle (SDL) process. The authors do a good job of explaining these steps and how you can implement them in your own project. I think the SDL is a great process for improving the security of a software project and would suggest anyone who is concerned about the security of their software project (which should be just about everyone working on a significant software project) should read this book.

I would recommend this book for managers and developers (even though the authors point out it is not a book with code samples and examples of how to write better code). I believe if developers know more about the how security issues crop up and can be handled, they will be better equipped to write solid code.

 

]]> Alberto Molina topazgroup Tue, 06 May 2008 15:26:21 -0400 http://topaz.net/7087/Book_Review_The_Security_Development_Lifecycle Specifications Chart http://topaz.net/6787/Specifications_Chart
APPENDIX B - Requirements Spreadsheet
  E = Essential, N = Non-essential
  Category Functionality E/N Y/N Screen Shot Description Answer
Part 1 - Base Functionality
  Distributed Content Management Distributed content management w/role basing (Including but not limited to sections of site, individual pages, navigation and special features)          
]]> Thanaroj Taengkhem topazgroup Mon, 17 Mar 2008 18:47:39 -0400 http://topaz.net/6787/Specifications_Chart The TopazPort Platform http://topaz.net/6458/The_TopazPort_Platform Through our experience building custom applications, we have become experts at building tools that people actually use.  The TopazPort platform focuses on promoting distributed participation in online communites. 

We are implementing our software through our Service One Click Clubs.  However, this incredibly robust platform can be customized for any type of organization, as you can see through the implementation of http://goxcampus.com 

 

]]> Alberto Molina topazgroup Mon, 18 Feb 2008 21:42:08 -0400 http://topaz.net/6458/The_TopazPort_Platform topazport feature requests http://topaz.net/6221/topazport_feature_requests Users and Groups

 

Posts

 

 

]]> Alberto Molina topazgroup Wed, 06 Feb 2008 16:11:35 -0400 http://topaz.net/6221/topazport_feature_requests