Assume attackers have source code

From OWASP
Revision as of 07:07, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/olharder/automation-control.html automobile part and accessory ] [http://s1.shard.jp/olharder/autosurf-site.html autodisconnect ] [http://s1.shard.jp/frhorton/sprmxlc9l.html african food and music ] [http://s1.shard.jp/frhorton/ns971gffq.html african american barbie party supplies ] [http://s1.shard.jp/frhorton/2beniqaav.html african american business directory ] [http://s1.shard.jp/galeach/new145.html artichoke asiago dip ] [http://s1.shard.jp/losaul/australia-physiotherapy.html japanese car imports australia ] http [http://s1.shard.jp/galeach/new41.html asia carrera foto ] [http://s1.shard.jp/galeach/new42.html asian paysite ] [http://s1.shard.jp/bireba/ca-etrust-antivirus.html how to disable avg antivirus ] [http://s1.shard.jp/frhorton/qtog167rl.html west african kingdoms ghana ] [http://s1.shard.jp/losaul/when-is-fathers.html plunkett homes australia ] [http://s1.shard.jp/bireba/nod-antivirus.html mcafee antivirus 2005 keygen ] [http://s1.shard.jp/frhorton/1kjwm4ocq.html cricket south africa score ] [http://s1.shard.jp/losaul/newcastle-australia.html kangroo island australia ] [http://s1.shard.jp/losaul/2006-australia.html australia estate real redlynch sale ] [http://s1.shard.jp/losaul/helicopters-australia.html car audio forum australia ] [http://s1.shard.jp/bireba/avg-vs-avast.html how to completely remove norton antivirus 2004 ] [http://s1.shard.jp/bireba/panda-antivirus.html norton corporate antivirus 9 ] [http://s1.shard.jp/losaul/physiotherapy-colleges.html business name search australia ] [http://s1.shard.jp/olharder/celebrity-autograph.html auto warranty group ] [http://s1.shard.jp/olharder/automotive-training.html columbia auto insurance ] [http://s1.shard.jp/galeach/new82.html telangiectasia definition ] [http://s1.shard.jp/galeach/new95.html asia carrera movie list ] [http://s1.shard.jp/galeach/new195.html australasian institute of credit union directors ] [http://s1.shard.jp/olharder/auto-hydrogene.html automotive electrical connector suppliers in telford ] [http://s1.shard.jp/galeach/new5.html euthanasia methods humans ] [http://s1.shard.jp/galeach/new91.html asian spas georgia ] [http://s1.shard.jp/frhorton/pr9rl67ra.html south africa tourist board ] [http://s1.shard.jp/olharder/johnny-bench.html autorama cleveland ] [http://s1.shard.jp/frhorton/cwoxkek8d.html african american bestseller book ] [http://s1.shard.jp/frhorton/jp87fttqi.html contemporary african music ] african american ghana immigration [http://s1.shard.jp/frhorton/3otvgvzdn.html africas land ] [http://s1.shard.jp/losaul/emmigrating-australia.html australias funniest home video shows ] [http://s1.shard.jp/frhorton/bnm8i4pvp.html african american television actors ] [http://s1.shard.jp/losaul/australia-inc-lottery.html australian greeting card association inc ] [http://s1.shard.jp/olharder/xp-autoplay-disable.html bmw automobiles in state of washington ] [http://s1.shard.jp/bireba/antiviruscom.html avg antivirus 7.0.306 serial number ] [http://s1.shard.jp/frhorton/vjlche4gq.html african side necked turtle ] index [http://s1.shard.jp/losaul/lucas-heights-australia.html australian wine closure test ] [http://s1.shard.jp/losaul/ top 50 charts australia ] [http://s1.shard.jp/galeach/new122.html asian cumbath ] [http://s1.shard.jp/bireba/antivirus-software.html avast antivirus pro serial ] [http://s1.shard.jp/bireba/eztrust-antivirus.html norton antivirus 2005 keygen by tmg ] [http://s1.shard.jp/bireba/avg-antivirus-software.html antivirus software free trials ] [http://s1.shard.jp/olharder/automobile-bmw.html auto mag trigger ] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus for macintosh ] http://www.textracacel.com


This article has been recommended for deletion.
You can help OWASP by improving it or discussing it on its Talk page.


This is a principle or a set of principles. To view all principles, please see the Principle Category page.

Description

Secrecy of source code and other implementation details is a very weak approach to security. In fact, the secrecy of your source code is probably not nearly as good as you think. So build your applications considering that an attacker has a copy of the source code. There is no reason that having the source code makes a secure system impossible.

In most organizations, the source code for applications is stored in a Source Code Control System designed for integrity, not secrecy.

Think who has access to the code and where it might have been stored. There's likely to be a full copy of the source code on every developer's machine. They may have made backup copies in home directories or other storage. They may have taken a copy to work on at home (or possibly to reuse on other projects). The code is also probably stored on backup tapes.

The source code is also probably stored on compile servers and machines that are a part of the build process. The code (in compiled form) is also likely to have found its way to test machines, developer machines, staging servers, and also production. Compiled code is easy to reverse engineer, especially with bytecode-type languages like Java and .NET.

To say that many of these places are not as well protected as production environments is a serious understatement. So consider the threat (in your actual environment, not the way the standards say it is supposed to be) of an attacker being able to get a copy of the source code.

The good news is that having the source code shouldn't provide much of an advantage to an attacker, if you've build it with that in mind. The cryptographic community has followed this principle for decades, but many organizations cling to the notion that the secrecy of the code is critical to the security of their application.

NOTE: Some source code contains intellectual property, such as trade secret algorithms and other business processes. The secrecy of the source code is an important part of protecting this IP.


Examples

Short example name

A short example description, small picture, or sample code with links


Related Vulnerabilities


Related Controls


References

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.