Introduction This is the first entry in a new set of summations. Previously we looked at “Secure Coding in C and C++”, this current set of summations are going to go over “Code Complete 2” by Steve McConnell. These summations will have a focus on security. “Code Complete” uses a set of “metaphors” for describing software development styles. We will look at Penmanship, Farming, and Oyster Farming. We’ll look at these and how they could affect the security of the final product.

Introduction Continuing summarizing the themes in “Secure Coding in C and C++” by Robert C. Seacord, we will discuss file I/O and how to prevent unauthorized access. File I/O is especially dangerous when a program is running under a privileged context and accesses files that unprivileged users can access. This can lead an attacker to read or even overwrite privileged files. The tl;dr; here is, use proper file permissions, verify file paths, and use the principle of least privilege.

Introduction Currently one of my projects uses “pinned” certs to securely communicate back to a REST service. These are pinned to allow for truly secure authentication of the server, eliminating a rogue certificate authority (CA) to issue a fake cert and allow for man-in-the-middle (MITM) attacks. This is a huge hassle as the server and client need to stay in sync. This involves cutting a new release just to update certs and trying to get them deployed in the expiration/reissue window.

Introduction Continuing summarizing the themes in “Secure Coding in C and C++” by Robert C. Seacord, we will discuss concurrency. When code runs at the same time needing access to the same resources lots of issues can occur. These can be from the annoying of getting the incorrect data, halting deadlocks, to vulnerabilities. The tl;dr; use mutex’s. There are a lot of methods for controlling concurrency, but many use mutex’s in the background anyway.

INTRODUCTION RSA is a public key cryptosystem, which was named after the creators of the algorithm: Rivest, Shamir, and Adleman [@STALLINGS]. It is widely used for both confidentiality and authentication. The main advantage for using RSA is the keys are created in such a way that the public key is publish and can be used to encrypt all messages to the owner of the public key. Unlike symmetric key schemes, RSA does not require sender and receiver to agree on a common key to encrypt and decrypt messages.