[5015] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu Apr 10 12:07:34 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <334A53D3.5A04@nationwide.com> from Steve Neruda at "Apr 8, 97 10:18:59 am"
To: nerudas@nationwide.com (Steve Neruda)
Date: Wed, 9 Apr 1997 07:31:15 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Steve Neruda wrote:
| Even though you can't prove the security of a system it is important to
| use good programming practices and have a security architecture in
| mind. My guess is that 80%+ of the rash of security problems we see
| right now could be eliminated by removing scanf() and printf() and any
| other nonbounds checking calls from the C programming language.
gets, strcat, strcpy, system and popen should also be eliminated.
execv*pe should be marked as dangerous, along with getenv and
gethostbyname/gethostbyaddr.
I have a document on writing and reviewing secure code at
www.homeport.org/~adam/review.html that people might find useful.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
