Delphi and security 2

[whosrdaddy]

Hi,

I need some expert input here!
a customer recently asked me if their application (made in delphi by me) was prone to security vulnerabilities.

after some searching I found this link:

http://www.delphi3000.com/articles/article_4107.asp?SK=

while the article explains some common issues, I'm not 100% sure that this covers everything.

Second thoughts someone?

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[Glenn9999]

(I'll admit I had a long post made before I hit submit and it got lost) But the main points I had out of it:

1) Perhaps the bigger concerns are with programs that have things to do with the Internet or a network more than programs that are simply local.
2) Think about how your program can be used in ways different than how you designed it (like if you run something, could it be made to run something else?).
3) Think about how your program could be made to do something with its data different than what you intended (like work with data the end-user has no business working with).

Read some of the Microsoft security bulletins and you can get some good examples of things to think about. How you parse your free-form data...What you allow to be done through those wide-access points (variable inputs, running other programs, showing data, etc).

I know it's vague, but hopefully it'll give you some things to think about.

 

[whosrdaddy]

another thing, the VCL controls (like TEdit, TMemo, ..) are they safe??

It seems I need to gain knowledge how to detect vulnerabilites in an application/service...



-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[Glenn9999]

another thing, the VCL controls (like TEdit, TMemo, ..) are they safe??

It probably depends on the specific control: Does it allow things like what I was talking about in the previous post?

Incidentally you can find many texts on the topic by throwing "secure coding" into the Google search.

Some of the more promising ones in the minute I looked:
A book on the topic
Another book on the topic
[link

http://www.securityfocus.com/infocus/1596

]Secure Coding[/url]
Top 10 Secure Coding Practices

 

[roo0047]

Having once worked for a major corporation who's highest priority was securities and controls, I can offer this:
As developers, we were required to build our applications around predefined security parameters. It would have been a major task to add security and controls after the fact.

Therefore, the real question is, "Was your application built to the security parameters provided by your client?"

Attacks, such as "buffer overflow" are not relevant unless the application is in an environment were it is exposed to such attacks. (Such as a module to be linked as part of a major OS.)

Using "tha powah of tha google", I did find an excellent document on the subject of "Risk Assessment":

http://www.asisonline.org/guidelines/guidelinesgsra.pdf

Roo
Delphi Rules!

 

[whosrdaddy]

thanks guys!

study time...

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[whosrdaddy]

roo0047, I was also looking for some input from fellow programmers, google is good, but sometimes not enough

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[roo0047]

Daddy - Absolutely! Sorry if you took that as a dig, not intended. "Risk Assessment" was just a suggestion for other topics to browse. I've since looked at Glenn's links, which led to some references I've bookmarked for myself, and were actually more on topic. Good luck with your customer's "after thought".

Roo
Delphi Rules!