Code Lockdown


Locking down your code needs to be a mentality.
In other words, it needs to be like martial arts.. a second nature... a coding ninja, so to say.
In this forum, I will cover some of the considerations, things that I do to secure code, etc.
In the 30 some years I have been writing software, I have seen many a change.
One of the biggest changes is in securing your code, so I figured this would be a good place to start.

Thinking back to my humble beginnings on the antivirus team, working with mainstream vendors directly, I could help but think in the back of my mind that much of the hub-bub regarding exploits was being secretly created in some lab somewhere by companies that have a fix for the problem.
The bigger the exploit, the more the companies flourished. Again, this is just personal opinion but it is fairly easy to follow the money trail. Something as simple as this site itself takes hours out of your time. Within a day of putting it online, there were thousands of ficticiously registered users.
During my stint at enterprise security and malware detection, pouring through thousands of logs, it was quickly realized that forums, blogs anywhere things can be anonymously posted. was the perfect place for bots and malware to communicate. All they need was a place to put data that was easily obtainable on the web.
Your job as a coder is to protect against that.. like a ninja!

It sucks to say it out loud, but if you write code, someone is trying to break it. This process however can literally bring coding to it's knees.
It is continuously changing, tedious and time consuming. If you have ever used Fortify and been gauged on the results you know exactly what I mean!
What is normally a simple process, becomes an inundating task.

If you code for a large company you can guarantee that chances are your code will be need to be pushed through some sort of review.
Every input, every output, every data source needs to be sanitized.
Scanning tens of thousands of lines of code can take hours.
Every time you do something new.. guess what.. time to scan again.

From the management perspective, they normally see numbers and graphs...
They do not care that the critical alert on your review could only be performed by a one armed Armenian in a viking ship on the Baltic Sea carrying a poodle... a white poodle with gray spots and a limp in its left leg.
Nor should they because the day that viking shows up carrying the poodle your code is cooked! :)
It is a critical alert and must be fixed to get you off of the Jumbotron..
Bad coder.. bad coder!
To be continued...