Secure error messages in software systems

Secure error messages in software systems

In computer security and usability of software systems, an important issue is the design of error messages in a way that prevents security vulnerabilities. This aspect of software security has only recently begun to receive increased attention. Some of the primary recommended design principles include:

* When asking a question, give the user enough information to make an intelligent decision. Otherwise, for lack of information, they will choose the choice that allows them to make progress, often resulting in compromised security.

* Don't give so much information that the user is overwhelmed or confused and so unable to make an intelligent decision. If this additional information is sometimes useful for debugging or advanced diagnosing, either hide it by default, log it in a separate location, or require special privileges to view it.

* Don't give error messages that could be exploited by a hacker to obtain information that is otherwise difficult to obtain. Again, if this information is useful, log it in a separate location or strictly limit access to it. A commonly-cited example of this is a system that shows either "Invalid user" or "Invalid password" depending on which is incorrect. This allows an attacker to determine a valid username without knowledge of any user passwords, and so is considered by some to be less secure. Another common example is the IIS 5.0 web server's error page, which features a complete technical description of the error including a source code fragment.

External links

* Everett McKay. [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/securityerrormessages.asp MSDN: Writing Error Messages for Security Features] .


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Secure multi-party computation — (also known as secure computation or multi party computation (MPC)) is a sub field of cryptography. The goal of methods for secure multi party computation is to enable parties to jointly compute a function over their inputs, while at the same… …   Wikipedia

  • Software cracking — is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date… …   Wikipedia

  • Computers and Information Systems — ▪ 2009 Introduction Smartphone: The New Computer.       The market for the smartphone in reality a handheld computer for Web browsing, e mail, music, and video that was integrated with a cellular telephone continued to grow in 2008. According to… …   Universalium

  • Password policy — A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization s official regulations and may be taught as part… …   Wikipedia

  • Burroughs large systems — The Burroughs large systems were the largest of three series of Burroughs Corporation mainframe computers. Founded in the 1880s, Burroughs was the oldest continuously operating entity in computing, but by the late 1950s its computing equipment… …   Wikipedia

  • Automated Tissue Image Systems — (ATIS) are computer controlled automatic test equipment (ATE) systems classified as medical device and used as pathology laboratory tools (tissue based cancer diagnostics) to characterize a stained tissue sample embedded on a bar coded glass… …   Wikipedia

  • information system — Introduction       an integrated set of components for collecting, storing, processing, and communicating information (information science). Business firms, other organizations, and individuals in contemporary society rely on information systems… …   Universalium

  • Voice over IP — Digital voice redirects here. For the commercial service, see Comcast Digital Voice. Voice over Internet Protocol (Voice over IP, VoIP) is a family of technologies, methodologies, communication protocols, and transmission techniques for the… …   Wikipedia

  • Spyware — is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically,… …   Wikipedia

  • Cross-site scripting — (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”