When writing code do you consciously program defensively to ensure high program quality and to avoid the possibility of your code being exploited maliciously, e.g. through buffer overflow exploits or code injection ? What's the "minimum" level of quality you'll always apply to your code ?...
In my most C++ project I heavily used ASSERTION statement as following: int doWonderfulThings(const int* fantasticData) { ASSERT(fantasticData); if(!fantasticData) return -1; // ,,, return WOW_VALUE; } But TDD community seems like to enjoy doing something like this: int doMoreWonderfulThings(const int* fantast...
Watching SO come online has been quite an education for me. I'd like to make a checklist of various vunerabilities and exploits used against web sites, and what programming techniques can be used to defend against them. What categories of vunerabilities? crashing site breaking into server breaking into other people's logins spam soc...
Here's a perfect example of the problem: Classifier gem breaks Rails. ** Original question: ** One thing that concerns me as a security professional is that Ruby doesn't have a parallel of Java's package-privacy. That is, this isn't valid Ruby: public module Foo public module Bar # factory method for new Bar implementations ...
The code in this question made me think assert(value>0); //Precondition if (value>0) { //Doit } I never write the if-statement. Asserting is enough/all you can do. "Crash early, crash often" CodeComplete states: The assert-statement makes the application Correct The if-test makes the application Robust I don't think you've mad...
I've been a professional software engineer for about a year now, having graduated with a CS degree. I've known about assertions for a while in C++ and C, but had no idea they existed in C# and .NET at all until recently. Our production code contains no asserts whatsoever and my question is this... Should I begin using Asserts in our pr...
Such as deleting the output file during run, directing two instances of the sw to the same IO etc ? ...
Hi, I have been programming for last 3 years. When I program, I used to handle all known exceptions and alert the user gracefully. I have seen some code recently which has almost all methods wrapped inside try/catch blocks. The author says it is part of defensive programming. I wonder is this really the defensive programming? Do you rec...
There are many types of external dependencies. Interfacing with external applications, components or services (e.g. Outlook to send emails, TWAIN or WIA for scanning, ActiveX objects and Web services for various purposes, and so on). What is your strategy for making sure that your application is robust, and can run even when such extern...
Recently I worked on FindBugs warnings about exposing internal state, i.e. when a reference to an array was returned instead of returning a copy of the array. I created some templates to make converting that code easier. Which one did you create to support defensive programming and want to share with the SO crowd? Templates I've create...
What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ? Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference. Sql Injection SQL injection is a code injection technique that exploits a security ...
I have a MS SQL DB contains set of tables each table represents a collection of variables calculated based on our formulas. All the variables are numeric with predefined percision (we are using numeric data type with n.m as n number of digits for integral part and m number of digits for fractional part). My question is how to prevent ou...
Duplicate of this. In C++ you sometimes have to implement the copy constructor yourself (when you have pointer as a member usually). Over compiler generated copy constructor this has the disadvantage that when you add a member field and forget to add the copying line in the copy constructor, you have a problem, which is often hard to tr...
I wanna allow users to embed videos freely in the application in developing, but do not want to expose then and the application to malicious uses. With that in mind, what are the main security concerns (XSS, etc) in allowing users to embed videos from external sources, like YouTube, Vimeo, etc. In which way this exploits could be used? ...
Explicitly checking/handling that you don't hit the 2^31 - 1 (?) maximum number of entries when adding to a C# List is crazyness, true of false? (Assuming this is an app where the average List size is less than a 100.) ...
I was having a discussion with one of my colleagues about how defensive your code should be. I am all pro defensive programming but you have to know where to stop. We are working on a project that will be maintained by others, but this doesn't mean we have to check for ALL the crazy things a developer could do. Of course, you could do th...
I discovered that it is possible to extract the hard-coded strings from a binary. For example the properties view of Process Explorer displays all the string with more than 3 characters. Here is the code of a simple executable that I wrote to simply test it: #ifndef _WIN32_WINNT #define _WIN32_WINNT 0x0501 #endif #include <stdio.h> #in...
Do people practically ever use defensive getters/setters? To me, 99% of the time you intend for the object you set in another object to be a copy of the same object reference, and you intend for changes you make to it to also be made in the object it was set in. If you setDate(Date dt) and modify dt later, who cares? Unless I want some b...
Disclaimer: I am a layperson currently learning to program. Never been part of a project, nor written anything longer than ~500 lines. My question is: does defensive programming violate the Don't Repeat Yourself principle? Assuming my definition of defensive programming is correct (having the calling function validate input instead of t...
i was working with a small routine that is used to create a database connection: Before public DbConnection GetConnection(String connectionName) { ConnectionStringSettings cs= ConfigurationManager.ConnectionStrings[connectionName]; DbProviderFactory factory = DbProviderFactories.GetFactory(cs.ProviderName); DbConnection conn =...