Facebook SDK

Monday, December 30, 2013

Programming Security-Part 2 (CERT Secure Programming Practices)


Because some people like lists, here is a list of the top 10 recommended, language-neutral, secure coding practices (adopted from https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices).

1.       Validate input. As mentioned in my first security blog post, validating input can eliminate the vast majority of software vulnerabilities. External data sources you are using, e.g. pulling from databases, using APIs, etc., have the capability of having malformed objects or “inappropriate” syntax designed to break your system.

2.       Use compiler warnings. When using compiled code (as opposed to interpreted code like Python), ensure the compiler is set to generate the highest warning levels and don’t ignore the warnings when compiling. By eliminating the warnings, you are ensuring that security vulnerabilities don’t exist in your code, to the best of your ability.

3.       Design based on security policies. Develop your software architecture and develop the code base around established security policies. For example, design your system to have independent subsystems that can communicate with each other; each subsystem has a different privilege level so the highest privilege isn’t being used all the time. A similar example of this is that Windows XP and older versions defaulted to giving each user administrator privileges, making it easy for malware to execute.

4.       KISS (Keep It Simple, Stupid). The more complex you design something, the more likely errors and vulnerabilities will creep in. If your programming language allows for subroutines, subprocesses, modules, etc., then use them to break up the program into smaller parts. It is easier to troubleshoot and debug these smaller sections than try to work with a monolithic program.

5.       Deny by default. When setting permissions, assume access is denied until proven otherwise. Also, ensure that conditions are identified for when access is permitted.

6.       Use the concept of least privilege. Much like #5 above, every process should be executed with the minimum privileges required to complete the job. If a process has to have a higher level of access, that access should be removed as soon as possible. This removes many of the avenues malicious attacks can use for privilege escalation.

7.       Sanitize data transfers. When passing data to other subsystems, such as databases, other programs, command shells, etc., sanitize the data first. Unused functionality within these other systems can be attacked through a number of vectors.  Sanitizing your data can remove some of these vectors, as your program knows the context of the data transfer; the called system doesn’t know anything about the transfer and will accept whatever it is given.

8.       Practice defense in depth. Use multiple defensive measures so attacks have to circumvent a variety of countermeasures in order to run. For example, use a sandbox environment (like a virtual machine) when testing unknown code to minimize the risk of damaging your system.

9.       Make use of quality assurance testing. Good QA can identify and remove vulnerabilities. When possible, have someone else look at your code; the programmer may become so used to looking at the code that he or she may miss something obvious. Automated tools can quickly find common errors while audits can track frequent problems and provide better education.

10.   Create a secure coding standard. Develop and implement a secure standard for programmers, taking into consideration the programming language(s) used and the target platforms.

11.   Define security requirements. Identify security requirements early in the development cycle and, whenever changes are made to the development plan, ensure the changes are vetted against the requirements.

12.   Use threat modeling. Anticipate possible threats to the software and develop mitigation strategies to address these threats. Identify key assets of the software and system, decompose the application, categorize threats, and then rate the threats.

Saturday, December 28, 2013

Programming Security-Part 1 (General Thoughts)

As part of thinking about updates to my book, if I ever get around to making another revision, I've thought that a chapter on programming security would be good. It is also helpful that part of the requirements to maintain my Security+ certification can be met by writing security-oriented blog posts. Thus, I will start writing a number of posts about programming security in general and how Python deals with some of these issues, if it does. If I ever make a new version of my book, I will include these posts into a new chapter. Hopefully this information will be useful.

The big thing to remember when it comes to programming security is that it just takes one mistake to create a security vulnerability. While Python alleviates a lot of the problems other languages have, e.g. memory allocation, it doesn't mean the Python is invulnerable. In fact, one of the points against Python is the fact that it isn't compiled; because Python programs are frequently provided in their raw .py files, anyone can open them up and view or modify them. Thus, if a person looks at the file for nefarious purposes, it's very easy for him or her to identify vulnerabilities that the programmer left in the code.

Another problem with Python is the incompatibility between Python 2.x and Python 3.x. If a programmer is converting a file from 2.x to 3.x, and not using the 2to3 converter (or doesn't look at the resulting code), there is a chance that vulnerability snuck through.

Secure programming, regardless of the language, involves some assumptions on the part of the programmer. Essentially, the programmer never assumes the system is in a particular state or that functions, methods, libraries, etc. will work as advertised. The programmer attempts to handle all possible errors and conditions within the code.

For example, buffer overflows occur when too much data is put into a buffer (a portion of memory). If the buffer fills up, any additional data spills over into adjacent memory areas, potentially causing system malfunctions, memory corruption, or exploiting the system. C and C++ are famous for buffer overflows, as they have no inherent protection against accessing or overwriting data in any memory location and do not automatically check the input data against the boundaries of a buffer.

As a programmer, you should develop the habit of validating any input data, whether it be ensuring the type of data (character strings vs. numbers), the length of the data (ensuring too much data isn't put into a buffer), allowed characters, etc. Many SQL attacks are performed due to poor or non-existent data checking.

One of the reasons there are so many languages available for programming nowadays is because of the inherent lack of security in C and C++. For decades, those languages dominated programming; they are still the go-to choice for many programmers, especially for low-level work on hardware devices, such as video cards. Newer languages, like Java, Python, Ruby, or the various .NET flavors have some safety features built-in.


One example is garbage collection. Traditional C/C++ programmers have to be aware of memory allocation and ensure that, once a data object is no longer in use, all references to it are removed from memory. If not, the memory remains allocated for that non-existent object and can't be used for another purpose. If this happens too often, eventually there will be no memory available for legitimate data objects and the program fails, the system crashes, or other problems arise. If a malware writer wanted to create a denial of service, simply providing a program that eats up memory will do it; once the system or program crashes, no one can use it until it is reset.

Saturday, September 14, 2013

Esperanto edition?

I'm learning Esperanto and I'm considering writing an Esperanto version of my book. Is anyone interested?

It would help me learn the Esperanto language but I'm also working on my new novel. Thus, if there isn't any interest, I'll continue with the normal language lessons and not worry about translating it.

Let me know what you think.

Sunday, June 16, 2013

Pricing

Just a quick note to talk about pricing. The original, 1st Edition price has been dropped to $0.99 for the Kindle edition (Smashwords only has the latest edition). The hardcopy book's price hasn't changed.

The new, 2nd Edition book is $3.99 on Amazon but on Smashwords I have made a "set your own price". Yes, that means you can download it for free, just like the old version. However, I would hope that, if you find the book useful, you'll throw a few bucks my way. :) It's always nice to be able to buy my wife something without her knowing about it.

Also, I've said this before but I'll reiterate for clarification: I do not mind if you give copies away, set up a torrent file, make a download "vault", etc. Obviously, I would like you to link to my blog, but I'm not naive enough to think someone won't come up with a better way of sharing knowledge.

Let me know if you found my book helpful.

Saturday, June 8, 2013

Now available on Amazon

Amazon finally posted my new edition to their web site. The funny thing is that I got an email from Amazon today asking me to confirm my book.

Basically, someone at Amazon apparently searches the Internet for previously published material that is incorporated into a book. Since this is a revised edition, and Python programming material is available on the 'net, my book naturally got flagged as a potential copyright violation.

Fortunately, I was able to explain the situation and Amazon relented and published it. So now everyone can get a copy of it from Amazon. I'm only posting the US link, as I figure other countries can figure out how to find it from there. Not to sound lazy, but with the number of countries Amazon is adding to their digital store, it's becoming difficult to track them all and ensure the store links are up to date.

Friday, June 7, 2013

Revised Edition is now available!

I have uploaded my ebook to SmashWords and you can get a free copy of the PDF through the link at left. I won't be uploading free copies of the various formats because, frankly, it is a pain in the butt converting them all and making sure they all work. Many of the poor reviews I've received with the first edition are due to formatting problems between the various versions and I don't want to deal with that again.

As soon as the revised edition is approved by Amazon, I will post a link to it as well, though I suspect most people find it directly through Amazon. I am going to reduce the price of the first edition; I'm curious to see how much the price affects sales, if any.

However, I'm still offering the book to the world at large for free, so don't feel guilty that you're "pirating" it by uploading your copy to the Internet or making a torrent file. Naturally, I would prefer that you make a donation or purchase a copy if you find the book useful, but it's more important to me that people find the book helpful. That means they need to be able to find it by any means possible.

So, share and enjoy!

Thursday, June 6, 2013

Newest version coming soon

I have finished making the changes to the newest version of my book and am working on converting it to various electronic formats. At mentioned before, I will not be posting all the different file formats on this blog; it's difficult to ensure I have all the latest versions updated whenever I make changes. I will only post the PDF version and provide a link to SmashWords if you want to download the book in a format of your choice, e.g. Nook.

I will upload a .mobi version to the Amazon site as well. I will keep the original version on there but I plan on dropping the price of it. However, I will not be making a new print version of the latest edition; there simply aren't enough sales of the physical book to make it worthwhile to deal with the process.

I plan on posting the links to the latest version this weekend, if all goes well.

Thursday, April 4, 2013

Formats for new revision

I'm planning a change in the formats that will be available from this blog when the new edition comes out. While my books will be available free of charge, I'm not going to maintain all electronic formats.

It is a pain in the butt to ensure all versions are corrected and up-to-date when changes are made when I have to handle the conversion process myself, especially because the conversion can cause problems. An example of this was converting from PDF to HTML and ebook formats; while the PDF was correct, the other books were truncated after chapter six.

In light of this, I will only directly host the PDF version myself, since I can do a direct export from LyX to those formats. I will use the SmashWords conversion system to make the conversion to other formats; the print version will also be available as well.

What this means is that you won't be able to download a free copy directly from my blog, unless you want PDF. However, I have no problem with someone buying a copy in whatever format they want and uploading it to a file locker, making a torrent file, or sharing it some other way.

I'm not trying to do this to make money (though that never hurts) but because I don't want to worry about maintaining multiple copies myself. On the other hand, if you find something that needs fixed, please let me know and I will make a new version available.

Friday, March 22, 2013

Sample new chapters

Update: I have created the new PyGame chapter. The draft copy is available at this link. I will leave these sample chapters online for a few more weeks to see if there are any comments. After that, I will finalize the revisions and publish my new edition.

I'm working on the revisions for the new edition. So far, I have added an additional section in GUI programming, giving a brief overview of the wxGlade/wxPython interface and some of its capabilities.

I've also added a new chapter for web application development using Karrigell. It's not extensive, as I'm simply trying to introduce the idea and show what is possible; I'm not intending for my book to be a tutorial on web development or the Karrigell framework.

On that note, if you are interested in seeing what I have written so far, feel free to take a look at the new material at my Google Drive link. Look it over and let me know what changes, additions, etc. should be made to it.

The only other thing I am planning on adding to the new revision is a chapter about game development using PyGame. Since everyone seems to want to become a game developer, I thought a brief introduction to it might be helpful. There are some good, free books at the PyGame website so I'm planning on pulling some of the essential material from them and providing a summarized version of game development. Again, I'm not planning on making my book a bona-fide tutorial but simply an introduction to whet the reader's appetite.

If there's anything else you would like to see in the new revision, or any changes you think should be made, please post a comment.

Thanks.

Monday, March 18, 2013

A $99+ value for only $4

I found this today, a site that "certifies" you in Python programming for only $99. More expensive, but more in-depth, is the variety of courses offered by O'Reilly.

As I was looking through the syllabus for the first site's course, I laughed because it is almost identical to what I put in my book. I'm not saying they copied my book (I don't know how long they've been around), but it is funny that I offer 95% of what they cover in my $4 ebook. Granted, I don't offer "certification", but since it isn't offered by the Python organization, I wouldn't consider it a "real" certification of knowledge; more like a certification of attendance.

Now, the O'Reilly material sounds to be a much better deal, relatively speaking. The problem is, you can learn much of the material yourself for free via websites or cheaply with books. But that's only if you want the same amount of knowledge they provide. If you just want to program, you don't need to spend $400.

So, if you want to justify your purchase of my book, just think of it like you're getting a 96% discount. And the material is copyright-free and DRM-free. What a deal! :)

Friday, March 15, 2013

Working on new edition

I've finished my initial draft for my novel and will be working on a new edition of my programming book while I wait for editing.

(If you're interested in being a "beta" reviewer of my novel, I would appreciate it. You can find the original version at https://www.createspace.com/Preview/1120513 and a revised version at https://www.createspace.com/Preview/1121064. If you read them, please let me know what you think; I've had over 50 people download a copy but only one has given me any feedback. Thanks.)

Anyways, about the new edition. I haven't heard from anyone about what they would like to see, so I'm planning on adding some screenshots of GUI development, maybe elaborating a bit more on how to do it, and adding a section about web development, since that is a big deal nowadays.

If anyone has anything they want included, or other changes to be made, please let me know.

Saturday, February 2, 2013

Amazon reviews

I just wanted to say a quick "Thank you" to everyone that has submitted an Amazon review. While good reviews are always desired, the negative reviews are also welcome. You can't fix something if you don't know it's broken.

I will take the criticism to heart and work to address my book's current shortcomings in future editions. If you have specific issues, please be sure to post them on Amazon or on this blog so that I will be aware of them. I will address them when time permits.

Saturday, January 12, 2013

Corrections and notices

As you can see below, I have posted a new listing of errata for my book. If you find any minor corrections that need to be noted, please let me know and I will add them to the list. I will also ensure they are made to the TeX files for the next edition.

I've also made a permalink to the Errata on the navbar to ensure it is always accessible.

Errata

The following is a list of corrections to the current edition:


  • Page 161 (List methods): list.sort() is a separate method and is not part of list.count()
  • Several of the comparative programs in Chapter 3 have spacing errors due to the ebook conversion process, e.g. "p a s s it around" instead of "pass it around".