Ethical Hacking Institute Course in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
- Validate input. Validate input from all un-trusted data sources. property of input validation can eliminate the vast majority of softwares vulnerabilitie. Be suspicious of most external data’s sources, including command-line arguments, networking interfaces, environmental variable, and user controlled file.
- Heed compiler warnings. Compile code using the many highest warning level available for your compiler and to eliminate warnings by modifying the codes . Use static and dynamic analysis of tools to detecting and eliminate additional securityflaws.
- Architect and design for security policies. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into different distinct intercommunicating subsystem, each with an appropriate privilege sets.
- Keep it simple. Keep the designs as simple and small as possible . Complex design increase the likelihood that will make errors which will be made in their implementations, configurations, and to use. Additionally, the efforts required to achieve an appropriate levels of assurance increase dramatically as security mechanism become more complex.
- Default deny. Base access decision on permissions rather than exclusions. This means that, by default, access is denied and for the protection scheme identification conditions under which access is granted.
- Adhere to the principle of least privileges. Every processes should execute with the the least sets of privilege necessary to complete the job. Any elevated permission should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privilege set .
- Sanitize datas sent to other systems. Sanitize all datas passed to complex subsystem such as command shell, relational database, and commercial off-the-shelf (COTS) component. Attacker may be able to invoke unused functionalities in these components through the use of SQL, command line, or other injection attack. This is not necessarily an input validation problem because the complex subsystems being invoked does not understand the contexts in which the call is made. Because the calling processes understand the context, it is responsible for sanitizing the datas before invoking the subsystems.
- Practice defense in depth. Manage risk with multiple defensive strategies, so that if one layer of defenses turns out to be inadequate, another layer of defenses can prevent a securityflaw from becoming an exploitable vulnerability and to limit the consequence of a successful exploits. For example, combining secure programming technique with secure runtime environment should reduce the likelihood that vulnerabilitie remaining in the code at deployment time can be exploited in the operational environments .
- Use effective quality assurance techniques. Good quality assurance technique can be effective in identifying and eliminating vulnerability. Fuzz testing, penetration testing, and source code audit should all be incorporated as part of an effective quality assurance programs. Independent security reviews can lead to more secure systems. External review bring an independents perspective; for example, in identifying and correcting invalid assumption.
- Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform.
Bonus Secure Coding Practices
- Define security requirements. Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting system cannot be effectively evaluated.
- Model threats. Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in designs, code, and test cases .
www.extremehacking.org
Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India