A.17 Chapter 16: Secure Programming Techniques

  • Convey to your vendors your concerns about software quality in their products.

  • Observe the rules presented in the chapter when designing or coding any software, and especially when writing software that needs extra privileges or trust, runs SUID or SGID, or provides a network service.

  • Don't write your own versions of library functions.

  • Don't create new network protocols when tested protocols are available.

  • Don't invent your own encryption algorithms or protocols.

  • Check all arguments to library or system calls. Check return values from every call.

  • Think about using chroot for privileged programs.

  • Avoid storing or transmitting passwords in cleartext in any application.

  • Be very cautious about generating and using "random" numbers.

  • Include logging facilities in your programs.

  • Test your programs with random and deliberately malicious input.

  • Read Chen, Wagner, and Dean's paper on setuid before writing a SUID program.

    Part VI: Appendixes