46
votes
How to protect software from being deleted by antivirus?
By running that same anti-virus software in your testing environment. Make it part of your test procedure: "Software not deleted by antivirus."
(In my experience: some packers, which compress your ...
- 13.3k
30
votes
How to protect software from being deleted by antivirus?
There's no magic cure unfortunately. False positives by anti-virus software have been a problem for commercial publishers for a long time. It is very common, especially for smaller publishers.
The ...
- 39.4k
21
votes
How can we avoid showing the literal path in the exception's stack trace?
Couple of pointers.
You should never expose stacktrace to users. Thats a security risk. You should also never expose exception messages to users, only for custom exceptions that you know can not ...
- 671
15
votes
Accepted
Keeping secrets out of source control - are we just moving the problem?
You could say you are just moving the problem. Ultimately, there will have to be a secret stored somewhere that your app has access to in order to have passwords, ssh keys, whatever.
But, if done ...
- 4,865
10
votes
How can we avoid showing the literal path in the exception's stack trace?
From this blog:
<PropertyGroup>
<PathMap>$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)'))=./</PathMap>
</PropertyGroup>
So instead of this:
Unhandled ...
- 241
10
votes
Is it possible to prevent tech scammers from editing bank webpages?
There are some golden rules in Information Security that say that:
If an attacker has physical access to your device, it's no longer your device.
If an attacker has administrative access to your ...
- 105k
7
votes
How can Data security be ensured in an open source software?
There is the possibility for anyone to tamper with the source code of Linux and to release a clone of, say, Debian, but filled with keyloggers and other spyware. Once such tampered version is released,...
- 139k
6
votes
Accepted
Locking access to a Class Library (C#)
As a solution you can add code in your class initialization routine that basically would check for certain conditions and would fail if the conditions are not met. For example, check if a certain ...
- 192
6
votes
Accepted
How do you ensure external dependencies aren't a security risk?
Both frameworks and libraries you use have vulnerabilities. Some of those vulnerabilities can be exploited to gain unauthorized access to your application/server/resources.
This fact, however, doesn'...
- 139k
6
votes
How can we avoid showing the literal path in the exception's stack trace?
The build property or rather msbuild parameter is /pathmap or <PathMap>.
It will rewrite all traces to your source locations.
Unfortunately i wasnt able to find the perfect documentation for ...
- 248
5
votes
Since `strcpy`, `strcat`, and `sprintf` are dangerous, what shall we use in stead of them?
The strncpy() strncat(), and snprintf() functions include the output buffer length as a parameter in order to prevent overflow. They still have a problem with the terminal null that can be resolved by ...
- 335
5
votes
Is it possible to prevent tech scammers from editing bank webpages?
The only way you could detect the DOM change is client side. Since it’s client side, attackers could simply delete that check.
So yes, it could add a tiny hurdle to the least capable of attackers; ...
- 110k
5
votes
Keeping secrets out of source control - are we just moving the problem?
Secrets like encryption keys and credentials should not be checked into source control for a few reasons. The first is obviously that encryption keys and credentials should always be on a need to ...
- 26.6k
5
votes
Locking access to a Class Library (C#)
IMHO you are approaching this from the very wrong side.
The idea was that it would only be accessible from one terminal on a closed system
Then make sure all software installed on that system can ...
- 221k
5
votes
Restricting access to sensitive data in monorepo
Ewan's answer is a good start, but I'd like to elaborate on it far more than a comment would allow.
First, developing and testing an application shouldn't require access to this sensitive data in a ...
- 85.9k
4
votes
securing database username and password in a web framework
Get the database to interface directly with the servers auth system. ie MSSQL can use the windows user the process runs as as the db access user
Put the production db settings in the deployment system....
- 84.6k
4
votes
Restricting access to sensitive data in monorepo
It's standard practice NOT to allow developers access to live data of any kind.
I mean i'm not saying it's usually strictly enforced, but it's the "best practice" guideline in many ...
- 84.6k
3
votes
Since `strcpy`, `strcat`, and `sprintf` are dangerous, what shall we use in stead of them?
Part of my answer was mentioned in the already given answers, but I am trying to give a more complete picture, so please excuse the repetitions.
The problem with those functions is that, in case one ...
- 221k
3
votes
Accepted
How can Data security be ensured in an open source software?
I think verifying the integrity of the content shouldn't be tied to the program it was made with, but to the person who made it instead. The standard way to verify this is via cryptographic signatures,...
- 249
3
votes
How can Data security be ensured in an open source software?
There are several distinct ways in which this issue is handled now:
• Many source-code packages are hosted at version-control repositories such as GitHub, which is thought to be a trustworthy place to ...
- 1,821
3
votes
What security practices do I employ when building a library that requires low level root access to certain devices and files?
The first thing you'll have to understand about the risks introduced by this design you have to consider what root can do that normal users can't.
A user in the root group can do a great number of ...
- 46.5k
3
votes
Is it safe to only use intval to sanitize user input for a database select?
Is it safe to only use intval to sanitize the user input for a database select, as in the following example?
Short answer: No.
OK, intval() will always deliver you an integer value which will not ...
- 13.1k
3
votes
Protect Part of the Code
You need some mechanism that prevents developers from changing parts of the code they shouldn't be changing, at least not without review. This means that you will have to integrate your version ...
- 136k
2
votes
Protect Part of the Code
I just want to suggest a simple solution for specific case.
always sharing the code to everyone aboard is meaning you are using Source Control like TFS for me. If it is correct, I can suggest an easy ...
- 929
2
votes
Locking access to a Class Library (C#)
It sounds like you are attempting "security through obscurity". You are right to be highly skeptical of this idea, because it doesn't work. Instead you should be thinking about authentication and ...
- 33.8k
2
votes
How can we avoid showing the literal path in the exception's stack trace?
One simple solution is to clone (check out) the project to a folder outside of C:\users, provided the developers have access to such folders. For example, instead of:
C:\users\DEVELOPER_FULL_NAME\...
- 21
2
votes
Since `strcpy`, `strcat`, and `sprintf` are dangerous, what shall we use in stead of them?
Back in the day when I used C a lot, I wrote a function malloc_printf which created a block of the right size and wrote into that, returning the block to the caller to free it. strcat and strcpy are ...
- 49.4k
2
votes
PHP secure storage for sensitive document uploads
Secure against what?
If you're afraid someone is going to pull the HD and take it home then full disk encryption works (so long as you didn't leave the key lying around).
If you're afraid someone is ...
- 120k
1
vote
If a code inspection tool finds a "heap inspection" vulnerability, is that relevant if the code is for a web app running on a private server?
In C# and Java, String objects are immutable, so they remain in memory until the GC decides to reuse that memory. A character array is mutable, so it can be overwritten with other (e.g. random or zero)...
- 508
1
vote
Since `strcpy`, `strcat`, and `sprintf` are dangerous, what shall we use in stead of them?
Since strcpy, strcat, and sprintf are dangerous, ...
strcpy, strcat, and perhaps sprintf are better used as building blocks for safer functions than used as safe functions unto themselves.
If due to ...
- 638
Only top scored, non community-wiki answers of a minimum length are eligible