This note covers the following topics: background, history of unix,
linux, and open source, security principles, why do programmers write insecure
code?, is open source good for security?, types of secure programs, paranoia is
a virtue, why did i write this document?, sources of design and implementation
guidelines, other sources of security information, document conventions, summary
of linux and unix security features, processes, files, system v ipc, sockets and
network connections, signals, quotas and limits, dynamically linked libraries,
audit, pam, specialized security extensions for unix-like systems, security
requirements, common criteria introduction, security environment and
objectives,validate all input, command line, environment variables, file
descriptors, file names, file contents, web-based application inputs (especially
cgi scripts), other inputs, human language (locale) selection, character
encoding, prevent cross-site malicious content on input, filter html/uris that
may be re-presented, remove or forbid some html data, encoding html data,
validating html data, validating hypertext links (uris/urls), other html tags,
related issues, forbid http get to perform non-queries, counter spam, limit
valid input time and load level, avoid buffer overflow, dangers in c/c++,
library solutions in c/c++, standard c library solution, static and dynamically
allocated buffers, strlcpy and strlcat, libmib, c++ std
Author(s): David A.
Wheeler
168Pages