Today, I’m doing a talk at DrupalCon Portland 2013 on Static analysis and code metrics. Here are the slides for that talk. When the videos are posted, I’ll make a followup post that links to it. Click through for the slides!
Today, I’m doing a talk at DrupalCon Portland 2013 on Static analysis and code metrics. Here are the slides for that talk. When the videos are posted, I’ll make a followup post that links to it. Click through for the slides!
Today’s post is in response to an article that I read yesterday entitled They Write The Right Stuff
. It’s a very interesting and insightful look into one of the most complex and critical pieces of software ever produced (also one of the most expensive). I think we can learn a lot from what they are doing, but I also think we should avoid copying what they are doing. The point that’s missed is practicality.
The other day, an article popped up in my feed reader that had a very interesting title (to me at least), Simple and Secure Login Script. As usual, I decided to click the link and give the article a read. Not overly shocking was the fact that I didn’t find the content of the article to be, how shall I say this…, overly factual. It’s not really a “tutorial”, but more of a “here’s some code that’s secure”. A quick review of the code found more than one vulnerability, and some significant things that I would change about it (as well as a few “really bad practices”).
So, rather than write a “rant post” about the code, I’ve decided to take another tactic. In this article, I’m going to walk you through my process for performing a security code review. Inline with the review, we’ll take note of any issues that we do find, and number them. Then at the end of the review, we’ll go over each one and look at potential mediation that we can apply and how to fix the issues.