Difference between revisions of "Assume attackers have source code"

Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/olharder/auto-reply-business.html specialty travel adventure and sports auto racing tours
] [http://s1.shard.jp/losaul/business-services.html australia en estudiar ingles
] [http://s1.shard.jp/losaul/australian-momentum.html australia feeding frenzy in shark
] [http://s1.shard.jp/galeach/new90.html asian wife pic
] [http://s1.shard.jp/galeach/new57.html american asian festival film jose san
] [http://s1.shard.jp/olharder/autonomous-systems.html auto accident investigations
] [http://s1.shard.jp/losaul/wiremesh-australia.html gove australia
] [http://s1.shard.jp/losaul/australian-music.html hunters hill sydney australia
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus for w32.spybot.worm
] [http://s1.shard.jp/losaul/when-is-fathers.html beechworth australia
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/wes-finch-auto-plaza.html auto sketch 9
] [http://s1.shard.jp/bireba/ zone alarm antivirus review
] [http://s1.shard.jp/frhorton/ru5u87lsh.html museum of african american history in detroit controversy] [http://s1.shard.jp/galeach/new186.html asian car models
] [http://s1.shard.jp/galeach/new156.html big asian jug
] [http://s1.shard.jp/bireba/avg-vs-avast.html antivirus linux freeware
] [http://s1.shard.jp/olharder/auto-train-discount.html auto train discount] [http://s1.shard.jp/bireba/remove-norton-antivirus.html nod antivirus
] [http://s1.shard.jp/losaul/informed-sources.html robert walters australia
] [http://s1.shard.jp/olharder/auto-part-for.html auto part for 1996 audi a4] [http://s1.shard.jp/olharder/automobile-dealer.html automotive bill gray
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/galeach/new167.html academy fantasia astro malaysia
] [http://s1.shard.jp/olharder/aaa-auto-sales.html addon auto cad download free ware
] [http://s1.shard.jp/bireba/clamav-antivirus.html antivirus windows xp
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/losaul/auction-houses.html air north australia
] [http://s1.shard.jp/galeach/new39.html hot asian boys
] [http://s1.shard.jp/galeach/new146.html euthanasia views
] [http://s1.shard.jp/losaul/australia-desert.html ten tenors australia
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new115.html adult asian personals
] [http://s1.shard.jp/frhorton/cwoxkek8d.html african american hair prom style updo
] [http://s1.shard.jp/frhorton/556tpvdn6.html india south africa relations
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus internet worm protection signature update
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/bireba/top-antivirus.html symantac antivirus update
] [http://s1.shard.jp/frhorton/1euh2vemn.html volunteer projects in africa
] [http://s1.shard.jp/bireba/panda-antivirus.html etrust antivirus 7.0 update
] [http://s1.shard.jp/losaul/beds-online-australia.html one way car rentals australia
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/losaul/vetco-aibel.html vetco aibel australia] [http://s1.shard.jp/bireba/northon-antivirus.html northon antivirus trial] [http://s1.shard.jp/bireba/review-zone-alarm.html avisoft antivirus
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/galeach/new119.html shocking asia download
] [http://s1.shard.jp/frhorton/zgxfpsa75.html african american author
] [http://s1.shard.jp/galeach/new182.html asian dating marriage
] [http://s1.shard.jp/galeach/new112.html asia booking hotel room

Revision as of 12:00, 29 May 2009

This page has been recommended for deletion.
You can help OWASP by improving it or discussing it on its Talk page. See FixME
Comment: Tagged via Template:Delete

This is a principle or a set of principles. To view all principles, please see the Principle Category page.


Secrecy of source code and other implementation details is a very weak approach to security. In fact, the secrecy of your source code is probably not nearly as good as you think. So build your applications considering that an attacker has a copy of the source code. There is no reason that having the source code makes a secure system impossible.

In most organizations, the source code for applications is stored in a Source Code Control System designed for integrity, not secrecy.

Think who has access to the code and where it might have been stored. There's likely to be a full copy of the source code on every developer's machine. They may have made backup copies in home directories or other storage. They may have taken a copy to work on at home (or possibly to reuse on other projects). The code is also probably stored on backup tapes.

The source code is also probably stored on compile servers and machines that are a part of the build process. The code (in compiled form) is also likely to have found its way to test machines, developer machines, staging servers, and also production. Compiled code is easy to reverse engineer, especially with bytecode-type languages like Java and .NET.

To say that many of these places are not as well protected as production environments is a serious understatement. So consider the threat (in your actual environment, not the way the standards say it is supposed to be) of an attacker being able to get a copy of the source code.

The good news is that having the source code shouldn't provide much of an advantage to an attacker, if you've build it with that in mind. The cryptographic community has followed this principle for decades, but many organizations cling to the notion that the secrecy of the code is critical to the security of their application.

NOTE: Some source code contains intellectual property, such as trade secret algorithms and other business processes. The secrecy of the source code is an important part of protecting this IP.


Short example name

A short example description, small picture, or sample code with links

Related Vulnerabilities

Related Controls


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.