Defensive Programming
secretGeek .:dotnuts about dotnet:.
home .: about .: sign up .: sitemap

Defensive Programming

Part 1 - Login Validation

A guide to using the latest defensive programming techniques in your code.

Security breaches not only occur because of buffer overruns and system backdoors. Some of the simplest security mistakes are made by allowing potentially malicious users to access your system.

Login validation should be coded defensively to prevent unauthorised user access.

The following syntax is recommended.

Listing 1
Public Function ValidateLogin(byval psUserName as string, byval psPassword as string) as Boolean
  Return False
End Function

The most immediate benefit of the above code is that users will no longer be able to login to the system.

Numerous other positives will flow from this simple fact. Due to decreased server loads, the most resource hungry portions of your code will now execute much faster. And less often.

The help desk will thank you, as they spend less time dealing with the petty gripes of users, now that there are no actual users to speak of. They may find they are bugged but the occassional complaint about login troubles.

With no new data being created, incremental backups will be done in a flash. System administrators can get on with their preferred task of designing ever more complex network diagrams in visio.

However, it is possible, even likely that your manager won't understand the complex issues of defensive programming. Once you've implemented the above login validation technqiue he may jump up and down screaming until his ears have gone a rich shade of purple. Amongst his ranting you may be able to decipher a suggestion that users are occasionally granted login permission to the application.

To accomodate his clearly socialistic point of view, implement the code provided in listing 2.

Listing 2

Public Function ValidateLogin(byval psUserName as string, byval psPassword as string) as Boolean
  Return True
End Function

This will doubtlessly please him, and users will be quite happy too, as now all attempts to gain access to the system will be successful. The number of calls to the help desk regarding failed logins will be at an all time low, but now that users are actually using the application, users will doubtless find other reasons to trouble the helpdesk.

Inform the helpdesk that any new issues will only be addressed if they are logged via your own custom made Issue Logging software. Ensure that the Issue Logging software has a Login Validation routine of its own, similar to that provided in listing 1.

You may find that when your manager realises how succesful the application now is at accepting login requests, he may again employ his up and down jumping tactics.

Amongst his ranting he will probably insist that you don't let 'just anyone' log in to your system, and he may specifically say that we doesn't want to grant access to 'hackers' and 'terrorists'.

To accomodate these requests, i provide a third listing. You'll need to add a reference to the System.Web.dll.

Listing 3
Public Function ValidateLogin(ByVal psUserName As String, _
      ByVal psPassword As StringByVal psClientIP As StringAs Boolean

    If psUserName.ToUpper.IndexOf("KEVIN") <> -1 And _
          psUserName.ToUpper.IndexOf("MITNICK") <> -1 Then
      MessageBox.Show("Hello Kevin Mitnick. You are the notorious  " & _
                "hacker once known as 'Americas Most Wanted  " & _
                "Computer Outlaw'. You're not getting access  " & _
                "to our system. You have to get up pretty early " & _
                "in the morning to pull the wool over my boss's eyes. " & _
                "Login denied, sucker!")
      Return False
    End If
    If psUserName.ToUpper.IndexOf("OSAMA") <> -1 Then
      MessageBox.Show("I don't know how common the name 'Osama' is " & _
                " in the muslim world, but just to be on the  " & _
                "safe side, we'd rather not let you in right now. " & _
                "But please wait by the computer for a short while.")

      Dim email As New System.Web.Mail.MailMessage()
      System.Web.Mail.SmtpMail.SmtpServer = "MailServer"
      With email
        .To = "webmaster@fbi.gov.au"        
        .Subject = "suspected leader of Al Qaeda located."
        .Priority = Web.Mail.MailPriority.High 
        .Body = "A suspect answering to the name 'Osama' is " & _
                "behaving suspiciously at a computer terminal" & _
                "on our network with ip address " & psClientIp & " " & _
                "Please apprehend him immediately. " & _
                "I'd be careful about approaching him, though. " & _
                "He looks irritable because an application he is " & _
                "using won't validate his login anymore. " & vbCrLf & _
                "A reward should be forwarded to  " & vbCrLf & _
                "LeonBambrick@hotmail.com." & _
                "Cheers, lb."
        System.Web.Mail.SmtpMail.Send(email)
      End With
      Return False
   End If
   
   If psPassword.Length = 0 Or psPassword.ToUpper.Trim = "PASSWORD" Then
     Messagebox.Show("Login Denied. Your stupidity represents a security threat.")
     Return False
   End If
   
   'Allow all other users
   Return True
   
 End Function

What do you do if it's still not good enough?

It has to be said that some managers are very hard to please. I once met a manager who felt that when generating invoices through our billing system, we ought to include full details of our company's bank account so that customers could pay us accordingly. He added further that he wasn't happy with the habit my code had of substituting in my bank account details and my full details. He even pulled a face and if memory serves, yes that's right, he fired my arse.

So if you've given Listing 3 a try and the manager still isn't happy then sit him down and listen very carefully to what he has to say. Ultimately it's his decision who gets validated, so put the choice in his hands:

Listing 4

Public Function ValidateLogin(ByVal psUserName As StringByVal psPassword As StringAs Boolean
    Dim email As New System.Web.Mail.MailMessage()
    System.Web.Mail.SmtpMail.SmtpServer = "MailServer"
    With email
      .To = "YourManager@YourEmployer.com"
      .Priority = Web.Mail.MailPriority.High
      .Subject = "Intrusion Attempt Detected!"
      .Body = "An intruder with login name " & psUserName & _
              " (password: " & psPassword & ") " & _
              "is attempting to gain access to the system. " & _
              "Please attach a debugger to the relevant " & _
              "Application Process, pause execution of the code" & _
              "and manually move the Program Pointer to either the " & _
              "'Return False' or the 'Return True' line below, " & _
              "depending on whether you wish to Deny or Allow Access. " & _
              "The choice is yours fathead."
      System.Web.Mail.SmtpMail.Send(email)
    End With
    System.Threading.Thread.Sleep(System.Threading.Timeout.Infinite)
    Return False 'Deny Access
    Return True 'Allow access

End Function

Remember to include debugging symbols in the new build so that the attach will work. Deploy the application, and invite a representative from Human Resources to come and see you at your desk.

You manager will arrive first, and he will have that intersting purple faced look he sometimes acquires. Show him the printed copy you have of the pornographic url's he's been viewing through his company internet connection. Just as the Human Resources representative arrives, ask your manager if there's anything he wishes to discuss.

If done correctly, the process will ensure your manager provides you with a vastly upgraded computer and anything else you ask for.

Add or view comments about this page

Articles

A Computer Simulation of Creative Work, or 'How To Get Nothing Done' A Computer Simulation of Creative Work, or 'How To Get Nothing Done'
NimbleText 1.9 -- BoomTown! NimbleText 1.9 -- BoomTown!
Line Endings. Line Endings.
**This** is how you pivot **This** is how you pivot
Art of the command-line helper Art of the command-line helper
Go and read a book. Go and read a book.
Slurp up mega-traffic by writing scalable, timeless search-bait Slurp up mega-traffic by writing scalable, timeless search-bait
Do *NOT* try this Hacking Script at home Do *NOT* try this Hacking Script at home
The 'Should I automate it?' Calculator The 'Should I automate it?' Calculator
aaron swartz: the early works aaron swartz: the early works
Finding (and removing) duplicate files on your hard drive Finding (and removing) duplicate files on your hard drive
Harvey, a .net chat server built with RabbitMQ Harvey, a .net chat server built with RabbitMQ
LeonBambrick.com LeonBambrick.com
So your domain has been stolen. What now? So your domain has been stolen. What now?
kv can remember it for you, wholesale kv can remember it for you, wholesale
Hello IT Department Hello IT Department
Dialog Between a Man and His Vista Laptop Dialog Between a Man and His Vista Laptop
NimbleText 1.6, Codename Jetboat NimbleText 1.6, Codename Jetboat
On Task Hoarding and Todo Bankruptcy On Task Hoarding and Todo Bankruptcy
Developer UI Done Right: Mercurial Commandline! Developer UI Done Right: Mercurial Commandline!
Rediscovering the Amstrad CPC 6128 Rediscovering the Amstrad CPC 6128
Just Wally Just Wally
The Correct Order for a First Time Viewing of The Lord Of The Rings The Correct Order for a First Time Viewing of The Lord Of The Rings
A new era for Android. A new era for Android.
Mind-boggling Demo of New Gaming Genre, aka Folder-Based Hangman, aka Fun with Recursion Mind-boggling Demo of New Gaming Genre, aka Folder-Based Hangman, aka Fun with Recursion
Got CSV in your javascript? Use agnes. Got CSV in your javascript? Use agnes.
Archives Complete secretGeek Archives

NimbleText!

screenshot of nimbleText
Generate code
Manipulate text
Extract data from text
Generate SQL
Generate HTML
Get funky with text! NimbleText!
TimeSnapper -- Automated Screenshot Journal TimeSnapper: automatic screenshot journal
25 steps for building a Micro-ISV 25 steps for building a Micro-ISV
3 minute guides -- babysteps in new technologies: powershell, JSON, watir, F# 3 Minute Guide Series
Universal Troubleshooting checklist Universal Troubleshooting Checklist
Top 10 SecretGeek articles Top 10 SecretGeek articles
ShinyPower (help with Powershell) ShinyPower
Now at CodePlex
Realtime CSS Editor, in a browser RealTime Online CSS Editor
Gradient Maker -- a tool for making background images that blend from one colour to another. Forget photoshop, this is the bomb. Gradient Maker

[powered by Google] 
How to be depressed How to be depressed
You are not inadequate.

Recommended Reading


the little schemer

The Best Software Writing I
The Business Of Software (Eric Sink)

Recommended blogs

Jeff Atwood
Joseph Cooney
Phil Haack
Scott Hanselman
Julia Lerman
Rhys Parry
Joel Pobar
OJ Reeves
Eric Sink

Aggregated Links

proggit
dzone
hacker news
dot net kicks

Human Link Machines

interesting finds
a continuous learner's weblog
arjan's world
weekly link post
LinkedIn profile
LogEnvy - event logs made sexy
Computer, Unlocked. A rapid computer customization resource
Aussie Bushwalking
BrisParks :: best parks for kids in brisbane
PhysioTec, Brisbane Specialist Physiotherapy & Pilates
home .: about .: sign up .: sitemap .: © Leon Bambrick 2003 .: privacy

home .: about .: sign up .: sitemap .: © Leon Bambrick 2003 .: privacy