× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. March 2021

Re: Secure coding practices

Offhand: checking %status and %error after every op code setting them.
Reasonableness tests on numeric fields (height between 2' and 8'; weight
between 70 lbs and 600 lbs.). No characters less than x'40' in character
data. Limits on the use of special characters in character data. Dates
reasonable for the date (today can't be a birthday, nor can January 25,
1875). Postal codes, cities, and states are valid as is the combination
(Postal 98104 and Tampa, Florida are both valid, just not together). A
*PSSR routine. Forced, detailed job logs with second-level messages.
Physical files journaled before and after. Use views to ensure
unauthorized data never gets into the program. Non-observable objects or
debug view is locked. OVRDBF's to prevent overriding. You could even go
crazy and to hard-code the library names in the F-specs.

A comprehensive set of test cases and a test engine to run them after every
modification and OS upgrade. Use only by authorized users.

And so on.

On Wed, Mar 3, 2021 at 2:29 PM Charles Wilt <charles.wilt@xxxxxxxxx> wrote:

None of those really count as "secure coding practices" (well maybe under a
generic "error handling")

Take a look here
https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf

Some of that isn't applicable if you're still using 5250...

Charles

On Wed, Mar 3, 2021 at 3:11 PM Dave <dfx1@xxxxxxxxxxxxxx> wrote:

Hi,

I'm looking to create some examples of secure vs non-secure code in RPG.
I'm not finding it easy to come up with my own. I guess the most basic
would be not checking the indicator after a chain operation, for example.
But nobody does that(!) Then I thought of a few things that tend to bite
you on the backside after a few weeks like a DS not initialized or nested
DO's with file reads that both use %EOF without specifying the file name.
But that only happens when you don't test properly. Anyone got any ideas?
TIA!
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.