We know that with computers, security revolves around how the computer is told how to respond to abnormal requests. These attacks are known as application layer vulnerabilities and make up a large percentage of computer security issues. We can help you from becoming part of the problem. By reviewing your program code we can find security issues that would normally slip through the development process.
This is one of the more infamous security flaws exploited by hackers currently. In general what happens is an attacker will try to pass a function, input field, or other parameter more information that what it can handle. As programmers know all parameters has finite amount of information that they can store. What happens in this scenario is that when the information passed to the parameter exceeds what it is intended to handle, the information is still written in memory. This can result in critical portions of the memory being overwritten causing the application to crash, or allows the attacker to inject code of their choosing into memory allowing that attacker to take control of the computer, delete files, etc.
What we can do is perform an audit of your code to find buffer overflows and provide your staff with that audit, allowing you to correct your code, or perform other actions as needed.
Logic Security flaws are flaws in the way your program handles certain events that could allow a user to gain elevated privileges or perform actions that are not intended to be performed by a user. This can be as simple as clicking/pressing buttons in a certain order or combination, starting the program in an unusual way, or simply using the program in a way that it is not intended to be used.
Logic security flaws can often be discovered in the testing phase for most applications, but as every programmer knows not every bug can be found in a program. We can perform an audit to see if you missed any potential logic flaws.
These are becoming very popular for attacks against web sites, and web applications. What makes it worse is that these attacks are very difficult to detect (because they will appear to be normal traffic), and will go through firewalls without any issues. This attacks are also very simple to carry out. All an attacker has to do is modify variables in their cookies, url, or form fields (all of which are easily editable by an attacker) in a way that allows SQL code to execute that was not intended. This can allow a user to login to a web site without needing a password, view other customers information, make administrative changes, and even delete records or entire tables.
The good thing is that this issue is easy to fix with a little variable checking before passing the variable into a SQL query. Defcon-5 can perform an analysis of your code and provide you with an audit of the SQL Injection vulnerabilities found.
Why Secure your code?
More secure code will make your product not only more secure, but will increase the trust of your customers. Which will increase your return on investment (ROI) greatly as you will gain more customers because of the high reliability and security your program will have. The greater security will decrease the amount of bug fixes, and patches that will need to be released for your program. This can save your staff time in the long run, and allow them to focus on new projects.
Contact us to discuss what we can offer you for your programming security needs, we specialize in Cold Fusion, Visual Basic, and several other programming languages such as PHP.
Last Updated: 03/10/2008 02:58 AM