Introduction

Designing a program from scratch allows you to incorporate security from the beginning, or at least be familiar enough with the program to rationalize potential vulnerable areas in the code. However, as an administrator or developer, you may face various alternate situations:You may have joined a development project already in progress, thus inheriting someone else's code. Or you have made the decision to use third-party code (such as an open source library or CGI application). Or, as an administrator, you're worried about the quality of code your internal developers are putting on your system.

In all these situations, it really helps to be able to quickly and efficiently review the code for problems. You don't have to be a programmer extraordinaire to perform a basic code review; and even if you can't follow some of the specific programming nuances, you can at least raise red flags for later review by a more knowledgeable individual. The goal of this chapter is for any computer-literate individual to be able to take an already-developed piece of code and determine if it has fundamental security problems. We provide you with a detailed list of problem areas pertaining to various popular programming languages, and show you how to use such a list in assessing the source code of a Web application. First, we look at how to efficiently trace through a program, effectively giving you a game plan on where to start. Then, we overview some particularly popular programming languages used for Web application...