Security Best Practices - IT Hare on Soft.ware

Your mileage may vary. Batteries not included

This category is dedicated to security best practices when applied to software development.
While we cannot provide a comprehensive list (yet), we are planning to keep expanding it.

Security Best Practices, page 1/2 :

Direct Payment Processing. Recovery from ‘Unknown’ Transaction Status. PCI DSS.

Quote:

“With the Direct Processing, customer should trust us (the merchant) with their details”

Another Quote:

“On the other hand, most of PCI DSS requirements make perfect sense regardless of formal compliance”

[→]

Logins and Passwords

Quote:

“I STRONGLY recommend to provide an option for your players to use 3rd-party “social logins””

Another Quote:

“you can be sure that as soon as your game is alive and kicking – you’ll need to implement password recovery for your players.”

[→]

Random Number Generation

Quote:

“even if your RNG is statistically perfect, people will still complain 🙁 “

Another Quote:

“On modern x86 CPUs, single core can generate 150M+ random bytes/second this way (and this is a Damn Lot).”

[→]

TCP and Websockets for Games

Quote:

“TCP is a byte stream, the whole byte stream and nothing but the byte stream”

Another Quote:

“if all packets reach Client, there isn’t that much difference between TCP and UDP”

[→]

UDP for games – security (encryption and DDoS protection)

Quote:

“Yes, you DO need to encrypt your UDP traffic. And no, using UDP is NOT a valid excuse to skip encryption”

Another Quote:

“Personally, I prefer to think of it as of insurance – when I’m paying my premiums in hope that my money will go to waste.”

[→]

Avoiding ugly afterthoughts. Part b. Coding for Security, Coding for i18n, Testing as a Part of Development

Quote:

“Doing sanitization at IDL level automates quite a bit of tedious-and-error-prone work, which is always a Good Thing™”

Another Quote:

“Hey, this whole thing can be made MUCH simpler, the only thing we need to acknowledge is that the best identifier for a string is the string itself!”

[→]

Password Hashing: Why and How

Abstract:

Password hashing is a Big Headache, and doing it right is complicated

Quote:

“Note that none of the C++11 random number engines (LCG, Mersenne-Twister, or Lagged Fibonacci) can be considered good enough for cryptographic purposes – in short, they’re way too predictable and can be broken by a determined attacker, given enough output has leaked.”

[→]