KludgeHack

Don’t rely on Obfuscation
16 August 2007 in Programming & Security | Comments (0)

With the now common use of managed code, unlike native code, the application can be easily decompiled to its source code. Most times that’s not something you want happening to your code.

Obfuscation is a very common “solution” used by many projects. Although it not protects your code from being decompiled, it makes very hard for understanding the logic behind the code. But, similar to others protection techniques, this method has its weaknesses.

I recently found this large post describing in detail why obfuscation shouldn’t be relied to save the application from being reverse engineering. Although its using C#/.NET to demonstrate, this is also reproducible with other managed code like Java.

If you need to protect your code from being altered, I think the combination of a good obfuscator with signing the assembly with a Strong name. Even if this method is not perfect, it can really be a big delay when attacking your application.

Webcast: Securing .NET code
10 August 2007 in Microsoft & Security | Comments (0)

MSP Mark Rasmussen has made avaiable a webcast about Securing .NET code.

How secure are your applications?
21 July 2007 in Programming & Security | Comments (0)

Security is becoming increasily important on software development. In the short future, employers will take a lot into account a in-depth knowledge of such matters.

We all know, NO application is bullet-proof. A single security hole can wreak an entire application, making its security completely useless.

Never the less, security can and should always be improved to its higher degree.

To fully create a secure application, every member of every object in the application must be carefully analyzed to determine every conceivable way each member could be invoked.

I recently found that Microsoft offerers a free tool to help you secure your applications against hacker attacks. The application is called ‘Threat Analysis and Modeling’.

Currently in version 2.1.2, the application aims to simplify the process of identifying potential security holes in your applications before hackers do.

You can enter a pre-existing application’s design details into the tool to see what sort of security issues may have slipped into it, but this tool really shines when used in the design phase of new applications. In fact, the Threat Analysis and Modeling Tool is robust enough that you may consider using it as your primary design tool for all new applications.

For a jumpstart, you may wish to watch some of the many helpful tutorial videos that are available from the Application Threat Modeling web site. You may also wish to pay a visit to the threat modeling team’s blog to stay up-to-date on the latest info.

The application free download can be made here.

SQL Injection Scanners
22 May 2007 in Programming & Security | Comments (0)

Is common knowledge, every Programmer every once in a while writes SQL query’s. But, are they vulnerable to SQL Injection?

SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

The people at Security Hacks made a top 15 list of SQL Injection Scanners. Check this small list and start checking your applications (web or other) for vulnerabilities.