Security

b y siddharth "The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source...

Earlier this year we held an event called Red Hat Developer Exchange which is a one day conference for developers who leverage any of the Red Hat products. We had a great bunch of sessions but, one of the ones I did was about "Secure Development Practices." What does that mean, you might ask? Well, it means, what can I change about my methods and techniques to make it more likely that the development that takes place in my organization...

I'm speaking as part of a panel on secure development practices for Red Hat Developer Exchange and the Red Hat Summit. I work on the Red Hat Product Security Team, a group whose purpose is to help Red Hat develop products as securely as possible. Quite often when people talk about software security it's an afterthought. You write your software, then you worry about security later. This can work sometimes, but it's also really expensive. Once you have a functioning...

RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure. What is an RPM? RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy installation, upgrading, and removal. Since...

A new video focused on the "Security Mentality" in the secure programming series has been released. Some interesting things are covered about how developers think about security and why they accidentally introduce security flaws into their systems. As a corollary to Bruce Schneier's law, Josh offers "Any developer can build an application so secure that he or she cannot exploit it." Please watch the videos for some ideas about cheating and about how to avoid the biases in your own...

Authorization and Authentication are both important aspects to secure development. Come check out our latest video in the secure development series and learn about often overlooked authorization events in your applications. The video also discusses Cross-Site Request Forgeries ( CSRF ), what they are and how to avoid them (e.g. OWASP CSRF Prevention Cheat Sheet ).

The next secure development video is out! Come check out a quick video on the impact of numeric errors during your development process. The video covers such problems as Integer Overflows , and Array Index Errors (like Bounds Checking and Index Checking ). You can also find more information about overflows and security in general at The Open Web Application Security Project ( OWASP ). Please leave us your feedback or suggestions for other secure development topics you would like...

Software Developers always know they are supposed to be paying attention to security when they program. However, developers also know that without regular reminders both of the things they know and new threats, secure development practices can suffer. As a result, you might find the new series of videos from the Red Hat Product Security Team useful. The first two videos cover that age old topic, “Input Validation” with the first video a bit of an intro and covering XSS...