| Secure Programming for Linux and Unix HOWTO | ||
|---|---|---|
| <<< Previous | Next >>> | |
Do not answer a fool according to his folly, or you will be like him yourself. | |
| Proverbs 26:4 (NIV) |
Avoid giving much information to untrusted users; simply succeed or fail, and if it fails just say it failed and minimize information on why it failed. Save the detailed information for audit trail logs. For example:
If your program requires some sort of user authentication (e.g., you're writing a network service or login program), give the user as little information as possible before they authenticate. In particular, avoid giving away the version number of your program before authentication. Otherwise, if a particular version of your program is found to have a vulnerability, then users who don't upgrade from that version advertise to attackers that they are vulnerable.
If your program accepts a password, don't echo it back; this creates another way passwords can be seen.
| <<< Previous | Home | Next >>> |
| Hide Sensitive Information | Don't Include Comments |