1.
VFP and IT Security
Eric Selje
Salty Dog Solutions
Voice: 608-213-9567
Website: www.SaltyDogLLC.com
Email: eric@saltydogllc.com
Visual FoxPro developers, in general, are not like other developers. We work directly with the
end users, we do the design ourselves, we code it, we test it, we deploy it, and we support it. We
often have full control over the entire environment. For our software to be secure means we need
to know what security issues exist all along the software development chain. There’s a lot to
know, and this whitepaper will cover some general concepts to consider to reduce the risk of
your applications, and some specific recommendations for Visual FoxPro developers.
You will learn:
 Where you might introduce risks in your development
 Where external parties might inadvertently introduce risks
 Good principles for secure software development

2.
VFP and IT Security
Copyright 2022, Eric Selje Page 2 of 18
Introduction
Back in 1987 when I started developing in Foxpro and up until fairly recently, "IT Security",
or "Cybersecurity" as some people call it was not nearly in our minds as much as it has
become today. We were so naïve and trusting! This whitepaper will outline what I've been
doing in IT security and go over the day-to-day tasks have an IT Security “Officer”, so you
can get a feel for the scope of my new work. I’ll dig into what tools I use, what Risk
Management Frameworks are, and one specific framework that’s useful for most small to
medium businesses.
For the second half I would like to apply the tools and lessons that I have learned from my
new role in IT Security and apply them to your life, and my previous life, as a Visual FoxPro
programmer. My generalization is that FoxPro developers do not just churn out code all
day. I may be oversimplifying here, but I think we often work more directly with the end
users, we do the design ourselves, we code it, we test it, we deploy it, and we support it. We
may also be the network engineer and the systems support and the webmaster and have
any number of other roles. This is not the case with all software developers, especially in
bigger shops. So, we not only need to be aware of security all up and down the entire
development chain, but we have to know about the entire environment where our systems
are deployed.
My goal is to raise your awareness of what an IT Security Professional does, and hopefully
you can pick out some tips to make you a more secure developer and worker overall.
I’m going to throw a lot of ideas out there, but as much as I can I’m going to avoid
recommending specific tools, and any tools that I do mention are not an endorsement as
much as just something I’m aware of. I don’t claim expertise in anything I do mention either
– I’ll leave it up to you to pursue anything you see further and come to our own
conclusions. Does anybody have any questions before we begin?
So here is what I have been doing for the last few years as an IT security person:
A Day in the Life
My day start with assessing our environment. I check my email for any alerts that have
come in overnight. I’m also looking for any abnormalities in our systems. Of course, to
recognize what’s “not normal” means I have to know what normal is and that requires a
combination of having established baselines and some experience. Because my systems are
up and running, my baselines are fairly well known to me now. E.g. I know how much
traffic is about average, how many users are in my Directory, and how much disk usage
growth we have each day. This would be a real hassle if I had to check all these things
manually but thankfully there’s a tool for that – my log analyzer.
Log Analyzers
This tool ingests logs from almost all of my other security tools as well as the logs from all
of my workstations, servers, network devices, and applications. But wait there’s more! Its
advanced features make it what’s known as a SIEM (Security Information Event Manager);
It analyzes all of those logs and sends me the reports and alerts when there’s something up.
Each day I read reports that tell me if any account tried to login unsuccessfully too many

3.
VFP and IT Security
Copyright 2022, Eric Selje Page 3 of 18
times, which Active Directory accounts or groups were modified, any abnormal system
events that were seen, and if any new devices were discovered on the network. I have
reports that tell me which websites were blocked by our web-based threat protection
proxy server. If I see a lot of traffic go out to (or preferably gets blocked from) a server
that’s known to be malicious, that’s an indicator of compromise.
I have one report that tells me every command that was done on any of our firewalls,
routers, and switches. Another one tells me if anyone, including IT admins, elevated their
rights from the regular user rights to administrative rights. It’s not that I care if the IT
admins did, but if there was a normal user account that elevated their rights, that’s a red
flag.
The log manager may be the most important tool in my toolbox. There are a variety of them
available – some self-hosted and some in the cloud. They’re pricing is based on how much
data they ingest and how long it’s retained, but it starts at $0 for a self-hosted open source
system like the ELK stack.
Vulnerability Scanner
The next thing I do is review our Vulnerability Scanning dashboard to see if any software
running on my network is known to have been exploited. The way this software works is
that there’s a public database of known vulnerabilities, and this software has plugins to test
whether any of my devices are susceptible to this exploit. Each exploit gets CVEi number,
which is its primary key, and then a couple of scores based on how widespread it is and
how much damage it could do if exploited. For example, an exploit that allows someone to
take complete control of my network just by coming near it with a bagful of Unobtainium
sounds bad and would be bad if Unobtainium weren’t quite so hard to get. At the other end
of the scale is, say, a virus that is super easy to get and its payload is that it randomly ejects
an extra sheet of paper at the end of each print job. Every network has vulnerabilities, and
they all fall somewhere between those two extremes, so my job is to prioritize them and
then ensure we remediate any of the ones we’re vulnerable to by either patching or
removing the software.
Figure 1: Find vulnerabilities with a network scan

4.
VFP and IT Security
Copyright 2022, Eric Selje Page 4 of 18
Figure 2: Drilling down into a specific device's vulnerabilities
Figure 3: Drilling further down into a specific vulnerability
Automatic Updates
We have a system that automatically keeps all the software on all of our devices up-to-date,
and I cannot recommend that enough. Not just Windows but almost everything else as well.
Oftentimes I don’t worry too much about software that’s flagged as unpatched, because I
know it will get patched automatically soon enough. Some places put all their patches
through a test phase before deploying them and that’s great if you’ve got the resources to
do that but not everyone does, so we have to trust that the vendor’s testers did a good job.
That doesn’t always work out well, as we’ve seen with the PrintNightmare patch from
Microsoft, but it usually does.
And then there are some programs that will never be patched again. Silverlight is a great
example of unsupported software that vulnerability scanner will flag. Since we have
nothing that requires Silverlight anymore, we just removed it. That’s the nice simple

5.
VFP and IT Security
Copyright 2022, Eric Selje Page 5 of 18
solution it’s not always possible to simply uninstall unsupported software. Perhaps you can
think of an example?
In those cases, I can tell my scanning software “Yeah, I know this is a vulnerability but I’m
willing to Accept it so please quit flagging it because you’re making my dashboards look red
and I don’t want any red on my dashboards.” Usually when you Accept a risk there’s some
paperwork involved so the powers that be know you’re taking a chance, and this is actually
where the mandate to remove Visual FoxPro often comes from because many managers are
extremely risk averse. We’ll go over the risks of having Visual FoxPro, as well as
applications written in Visual FoxPro, in the second half of this paper.
What’s Coming?
After I’m confident I’ve done what I can to ameliorate any impending threats, it’s time to
move on. During this phase of my day, I review sources that disclose any newly discovered
vulnerabilities and discerning whether any of those apply to my environment. These would
be exploits that my scanning tools don’t have plugins for yet. I monitor these emerging
risks and keep everyone apprised of what might be coming down. I use my experience to
determine whether what the headlines (or my tools) call a threat is really a threat to my
systems, because I may already have “controls” in place to mitigate that threat. For
example, if there’s a new phishing campaign that takes over your machine due to a zero-
day exploit of a browser, but that the user has to be running as an administrator for it to
work, then I don’t worry because one of the things that I’ve already taken care of is making
damn sure that none of my users can ever run as administrator. As I’ve mentioned, even my
administrators can’t log on as administrator – they have to elevate their permissions to do
anything administrative. Another common one is a new iPhone update. Everyone’s got
their iPhones on auto-update, so they’ll get updated within a few days, but if it’s
particularly bad I can go into our Mobile Device Manager software and push an update out
to them immediately. That helps me sleep at night.
A couple of those sources are the Mandiant email newsletter which comes out every day,
websites like HackerNews, BleepingComputer, or Krebs on Security, and even mainstream
media although they tend to trail the other tech sites and often overhype threats and don’t
always give good context.
If you’ve got any public-facing devices, and a website would be the most common example,
but you may also have file-sharing services, IoT devices, or other network devices, you
should subscribe to a service like Shodan that will scan your external devices and let you
know if there are any vulnerabilities there as well. A few years ago, I did a presentation on
How to Hack a Database and that talked about other ways to discover if you’ve got an
exploit like SQL Injection on your site. That was pretty cool although I’m now aware that
some of the tricks I did in that paper are kind of frowned upon by the FBI.
It's not enough for me to know what’s coming though! I need to turn around and make sure
that the most vulnerable part of any network, my end users, also know. We have a Security
Awareness Training program that lets us do test phishing on our users and educational
video campaigns on the latest threats.

6.
VFP and IT Security
Copyright 2022, Eric Selje Page 6 of 18
IT Security Frameworks
After the day-to-day stuff is taken care of, I work on ensuring we’re in compliance with our
IT Security Framework. If you want to go down a rabbit hole for the next year this is a great
place to begin. There are tons of IT Security Frameworks out there so the first task is to
pick the ones that are applicable to your business (if one isn’t already assigned to you by
the industry that you’re in). The one that we use is based on the NIST 800-53 framework,
with modifications. That’s a pretty popular one but it’s really extensive and may be overkill
for small businesses. Unless you’re a government contractor, and then you must adhere to
the NIST 800-171 framework and prove it in order to get the contract. This all involves a lot
of paperwork, policy making, and follow-up. If this sounds less appealing than writing code,
you are correct! NIST stands for the National Institute of Standards and Technology, and
that’s the same outfit that does things like determining what the actual time is and how
much an ounce weighs. (Reading into the history of the original Office of Weights and
Measures is fascinating stuff – really!)
If I were just getting started with an IT Security plan for my business, I would focus on
what’s known as the CIS Controls. CIS is the Center for Internet Security, which hasn’t been
around nearly as long as NIST. Yes, there’s actually a lot of competition in the framework
market just like everything else. When IT Security People talk about “Controls”, they are
referring to something that is put in place to achieve security goals. For example, Anti-Virus
software is a control that helps prevent malware. Firewalls are a control that prevent
unwanted traffic from traversing networks. In FoxPro, the Valid() function and Inputmask
property on any of our inputs might be considered a control to prevent invalid data from
making its way into our database.
This CIS Controls used to be known as the SANS Top 20, but now it’s down to 18 because
they rolled a couple into each other. If you implement these 18 controls in your
environment, you’ll reduce your attack surface tremendously. Briefly, these controls are:
CIS Control 1: Inventory and Control of Enterprise Assets
Know everything about what’s on your network. How many servers, workstations,
switches, etc. How many are Macs vs. PCs? If you don’t know what’s on your network you
cannot recognize when there’s something rogue on your network. Some places will go so
far as to whitelist the MAC addresses of what’s allowed. This tight control makes things
secure but really illustrates the maxim that security and convenience rarely go together.
CIS Control 2: Inventory and Control of Software Assets
Have software in place that scans your workstations for what software is running on them
and keeps it up to date. This might be as simple as the free Windows Software Update
Service. Ideally the service you use can handle the entire variety of systems that you have,
and maybe even patch firmware and other IoT devices as well.
CIS Control 3: Data Protection
This should be a big one for us database developers and I’ll talk more about this in the
second half, but we have to have controls in place so our data is not easily accessible to
anyone snooping around either when it’s at rest or in transit. Ideally, we have policies in

7.
VFP and IT Security
Copyright 2022, Eric Selje Page 7 of 18
place to classify the data (which requires more than just thinking that the data is classified)
so you can handle more sensitive data (e.g., credentials) differently than you would handle
non-sensitive data. You should also have a data retention plan in place so you know
whether you should purge the data regularly or hold onto it in perpetuity.
I recently came across this quote regarding Twitter’s (lack of) data protection.
“They don’t know what data they have, where it lives and where it came from and so,
unsurprisingly, they can’t protect it. It doesn’t matter who has keys if there are no locks.”
CIS Control 4: Secure Configuration of Enterprise Assets and Software
These determine who gets to make changes to your network or install new software and
what procedures they have to go through in order to document the changes. This is meant
to prevent “Rogue IT”, which is coincidentally how many of us FoxPro developers got
started. Whatever tools we had weren’t satisfactory, so we wrote our own. This is
considered bad, from a security perspective.
CIS Control 5: Account Management
Who gets an account on the system? What service accounts are running? Do they have to
have passwords? How long? For most of us we use Active Directory to manage our network
accounts but what about access to our applications? This applies to those as well, and is the
reason why it’s better to let a 3rd party provider like Active Directory or even Google handle
the account management for your app. We’ll talk about this more later.
CIS Control 6: Access Control Management
This ties in with Control 5, Account Management, but deals with the rights users have. Do
users need administrative rights? Do you require Multi-Factor Authentication? Can a user
log in remotely or do they have to be in a specific geographic location based on their IP
address when they enter their credentials? Use LAPS for local administrative accounts
rather than a common username and password on every device.
CIS Control 7: Continuous Vulnerability Management
Scan your devices for the known vulnerabilities and patch them automatically. This is
honestly the one thing you can do to mitigate most of your IT Security issues.
CIS Control 8: Audit Log Management
Enable logging on all of your devices and as much of your software as possible and forward
those logs to a centralized repository. This is helpful for alerting, reporting, forensics, and
incident response.
CIS Control 9: Email and Web Browser Protections
Spammers ruin everything so gone are the days where we could simply email from our
applications out the nearest SMTP server because most email servers have implemented
restrictions that prevent simple auth (username/password). Of course, spam still gets
through, so you still want to have spam filtering on your inbox, prevent EXE files from

8.
VFP and IT Security
Copyright 2022, Eric Selje Page 8 of 18
getting into your inbox, and have your anti-malware scan your downloads. Run your web
traffic through a proxy server to block any attempts to navigate to known malicious sites.
CIS Control 10: Malware Defenses
Speaking of anti-malware, you definitely should be running it. Even if you have a Mac, or a
Linux box. These days Windows makes it hard not to run something, since it comes with the
perfectly acceptable Defender and continuously warns you if you disable it. Most decent
anti-malware software has a software firewall built-in and can even have policies that
allow you to lock down USB ports or warn you if you’re about to go to a compromised
website. In anything but the smallest businesses you’ll want to use software that allows you
to deploy these policies down to the client automatically, so you don’t have to configure
each device independently.
CIS Control 11: Data Recovery
Have a secure backup plan in place and test it regularly. Those backups should not only
include your files, but also device configurations, Active Directory settings, and other less
obvious data stores. Tabletop disaster scenarios so you know what to do when the worst
happens. Where will you set up? How will you get back up and running?
CIS Control 12: Network Infrastructure Management
Ensure your network devices are patched and secure, and nothing gets introduced without
it being vetted.
CIS Control 13: Network Monitoring and Defense
Set up those alerts as mentioned in Control 8 (Log Management). Configure your firewalls
to only allow in the traffic you want to get through (start with a Deny All posture and open
up the necessary ports from there after seeing what got blocked that you really want to
allow). Create VLANs to segregate traffic, especially to workstations that handle sensitive
data.
CIS Control 14: Security Awareness and Skills Training
This is probably the second most important thing you can do, and this is actually one of my
favorite tasks. I use a 3rd party tool to deploy quick training videos to my users to keep
them aware of the latest exploits such as smishing, vishing, social engineering hacks, and
whatever the latest scheme that hackers contrive. The system has an integrated Learning
Management System so I can see who’s completed their training, and we use this when a
new employee onboards to give them the annual security refresher, which is more
complete than the refresher courses. We also send out test phishing so our users can see
how nefarious some of these emails can be. If a user fails, they get automatically enrolled in
a remedial course in how to spot phishing emails. Phishing (and its specializations, spear-
phishing and whaling) is by far the most common way credentials are compromised which
is why this training is so important.

9.
VFP and IT Security
Copyright 2022, Eric Selje Page 9 of 18
CIS Control 15: Service Provider Management
Keep track of who you’re working with, what data and services they have access to, and
monitor them to ensure compliance with any security policies you have. The same way
your bank wants to ensure that you’re PCI compliant if you’re taking/storing financial
information in order to protect themselves, you want to ensure your 3rd party providers
are also secure. If you’ve seen my Don’t Be a Target presentation, you’ll know why this is
important. For us, this might apply to cloud service providers as well.
CIS Control 16: Application Software Security
Ok, now we’re at the heart of what we as Visual FoxPro developers really care about: How
to make sure our applications and data are as secure as possible. Most everything we talk
about in the second half of this talk falls under this control, including establishing a secure
development process, using 3rd party controls, and code-level security checks.
CIS Control 17: Incident Response Management
Know how to recognize an “incident” and what to do when it is discovered.
CIS Control 18: Penetration Testing
This includes the dramatic “red-teaming” to ensure your network defenses are intact, but
also includes having someone test your applications for vulnerabilities by inputting edge
cases, poking odd buttons, and trying to find ways to make it do things you didn’t intend.
Policies, Procedures, and More
Whew, that may seem like a lot of things to consider but if you implement these Controls,
and especially controls 7 and 14, your environment will be much more secure. And be glad
we’re not going over NIST 800-53, which has over 1,000 requirements to go along with
their controls!
If you haven’t fallen asleep yet, I’ll also add that we have over 20 IT Security Policies and
Procedures in place that have to be reviewed and reauthorized annually. These include
policies that address these controls as well as specific policies for BYOD devices, remote
access, international travel, and appropriate use of our systems.
You might be thinking that you’ll have to invest a ton of money in order to comply with all
of these controls, and there is no shortage of companies that would love to sell you their
solution, but there are often free and/or open-source solutions for many of these which
you can with a quick internet search. Everyone’s situation is different though and so finding
the right combination for your environment is the key and you might have to pay invest a
little money to get the security you need.
Is this about Visual FoxPro or What?!
Now that we know the 18 CIS Controls and thus are cybersecurity experts, let’s take a look
at how this affects us as software developers, and specifically Visual FoxPro developers.

10.
VFP and IT Security
Copyright 2022, Eric Selje Page 10 of 18
It’s very important to divide this into three distinct parts. First, there are the vulnerabilities
you might have just by installing the Visual FoxPro development environment on your
system. After all, this hasn’t been supported (i.e. patched) by Microsoft since 2007. And
sure enough, if you do a vulnerability scan on your system after installing Visual FoxPro
you’re going to get a message like this:
92700 is the vendor’s PlugIn ID for this vulnerability, and if you drill down into it, you’ll
see
Oh my! You can see this one has been rated as a “Critical” vulnerability with a CVSS score of
10 (out of 10), which sounds as bad as it can get. Except we know through our experience
that this isn’t malware, isn’t necessarily dangerous, and need not be uninstalled. To be
compliant with our security policies we’ll probably have to fill out an Exception Report and
have the boss sign off saying that they’re aware you’re running unsupported software, but
there’s really no prima facia risk here.
Or is there?
Figure 4: Our Vulnerability Scanner says VFP is a Critical Risk. Is it?

11.
VFP and IT Security
Copyright 2022, Eric Selje Page 11 of 18
Microsoft shipped Visual FoxPro 8 & 9 with some ActiveX controls, and these actual did
have some security vulnerabilities that could possibly allow Remote Code Execution (RCE),
which is bad.
 ComCt232.ocx
 MsChrt20.ocx
 MsFlxGrd.ocx
 MsMask32.ocx
 MsWinSck.ocx
Fortunately, these insecurities were found in products that were still supported and they
have all been patched. If you haven’t yet, find and install these security updates. And if you
shipped any code that includes the unpatched versions of these ActiveX controls, send out
an updated copy to your customers as well as you cannot assume they’ve got the controls
in place that will automatically update them.
Another control that had security issues and has been updated is the original MSXML
control that shipped with FoxPro. Be sure to either update or remove that if you don’t need
it. It was used with the FoxPro “Task Pane” but if you don’t use that you might be safe
removing it.
A good way to find vulnerabilities manually is to search MITRE’s CVE website. If you search
for “FoxPro” you’ll see almost all of the known vulnerabilities are from these ActiveX
controls, although if you’re still running Visual FoxPro 6 you should definitely upgrade
because there are some issues with that (in multiple ways besides just security).
So, not too bad overall. But what about any other 3rd party controls? When it comes to add-
ons for the Visual FoxPro development environment, one name comes to mind: Thor. Is
Thor vulnerable? This is an example of something that’s probably not going to be in the
CVE vulnerability database, so you’d have to detect it yourself. Fortunately for us, Thor is
open-source, and all of the tools are also open-source, so many eyes are inspecting the code
looking for anything suspicious. If we had our network boundary controls installed, we
could also see if there’s any traffic trying to go out the door that looks odd. It is realistically
possible that someone could create a Thor tool that looks harmless but actually does
something insidious. I’ll take my chances.

12.
VFP and IT Security
Copyright 2022, Eric Selje Page 12 of 18
What about VFPA?
Mr. Chen’s Visual FoxPro Advanced is amazing. He seems to be singlehandedly continuing
to support Visual FoxPro in a way that Microsoft has abandoned. He does this by patching
the binary source code to Visual FoxPro’s IDE and runtimes. It’s not open source but even if
it were it’s written in assembly so I doubt many of use could really inspect it in a
meaningful way for insidious code. So, we have to look at the externalities of the code to
determine if it’s got any vulnerabilities and that’s really difficult. Again, we could look at the
firewall logs to see if any data is going out from our applications to IP’s unknown. Enough
people are using VFPA that, once more, I’ll take my chances. [Note: “I’ll take my chances is
not considered a sound security policy. Exception Reports will need to be filed.]
How about X#?
Now we’re back into open-source land. In general, and possibly counterintuitively, open-
source software tends to be more secure than closed-source because of the many eyes that
can be laid on it (which may actually be a myth as it depends on the number and skill of
those eyes). We can download it and run all the source code analyzers we want to poke and
probe and find any holes. Just being open source doesn’t guarantee it’s safer, but it’s
certainly no riskier these days either. And most of the world is running on open source,
including .Net itself as well as Linux.
The Apps We Develop
Now that we’ve determined that the development environment is secure, let’s focus on the
apps themselves. This is where CIS Control 16, Application Software Security, comes into
play.
We start by ensuring we have a secure software development lifecycle. This includes a
number of large number of steps, and which ones are applicable depend on how large your
team is, the nature of the application you’re building, and the sensitivity of the data. This
step is a lot of thinking about your application, its data, who’s going to be using it, who’s
working on the application and how they’re trained, what’s included in the application and
where it comes from, and what coding practices you’re going to use. OWASP has published
a Security Architecture Maturity Model to gauge how well your team is applying these
security principles.
Destiny: Manifest
Be sure to keep a list of any 3rd party components that you deploy with your app. With
FoxPro its not likely to be as extensive as it might be compared to a Node.js app that has
dependencies upon dependencies upon dependencies. I am not aware of any automated
tool that can scan your Visual FoxPro applications and tell you whether every component
in your “Bill of Materials” is up to date [to do: New Thor tool! Integrate with Project
Explorer]. Here I’m referring to those vulnerable ActiveX controls mentioned earlier but
even venerable 3rd party ActiveX like DBI Controls. Also any .FLL libraries,, and any classes
or U/I controls (.VCX or .PRG-based) that you may have used.
Here's an example. Internet Explorer support was completely dropped from Windows in
June of 2022. If our applications used the WebView ActiveX control that was built into

13.
VFP and IT Security
Copyright 2022, Eric Selje Page 13 of 18
Windows, that control is no longer supported either because it’s based on Internet
Explorer. This doesn’t necessarily mean it will stop working, but there’s a decent chance
that your application will be susceptible to a future vulnerability. You can keep it (be sure
to write up that report so everyone’s ok with this possibility), or you can update it to the
Edge-based WebView2 and all your problems will be solved.
Or will they? It turns out WebView2 also has had vulnerabilities. They’re not anything to
keep us up at night, but won’t you sleep even better knowing that you’re on top of it and
everything else in your Bill of Materials?
Secure Coding and Testing
OWASP also published a concise treatise on Secure Coding Practices that apply to any
developer. Some of the sage advice includes:
INPUT VALIDATION
Do it at a trusted source (the database server). Accepting anything that’s sent your way
before validating might allow manipulated/corrupted data into your database. This may
mean you’re validating at the U/I and the database, and that’s ok. Keep all of your
validation routines centralized rather than dispersed. For DBF-based tables, a good
centralized place is the DBC itself.
AUTHENTICATION AND AUTHORIZATION
Use standard, tested authentication services. If you can, outsource it to a 3rd party like
Active Directory, Google (for web apps), or Okta if you have some other identity provider
that you use. If you can and your data is sensitive or valuable, implement multi-factor
authentication.

14.
VFP and IT Security
Copyright 2022, Eric Selje Page 14 of 18
If your application keeps credentials,
only store salted hashes of
passwords. Be sure the table that
stores those credentials only accepts
input from your application. For a
table in FoxPro’s DBC, that might be
the BeforeOpenTable event that
checks for a condition before
returning .T.
Log every instance of an attempted
login, whether it’s successful but
especially if it’s a failure. Forward
those logs (Control 8), so you get
alerted if someone is trying to brute
force their way into your application.
Use a generic “Invalid Credentials” message rather than more specific “Invalid User Name”
or “Invalid Password” messages that give the user a hint to what was incorrect.
CRYPTOGRAPHIC PRACTICES
I recently saw a post in a forum where someone had contrived their own two-way
encryption algorithm. Unless your needs are only to keep your children’s eyes off of
whatever you’re encrypting, don’t do that. In fact, don’t do that for any reason. VFP comes
with a collection of classes in _crypt.vcx that will tap into Windows’ CryptoAPI and do a far
more robust job than yours.
Protect keys and salts from unauthorized access. What’s a good way to store secrets in
Visual FoxPro?
ERROR HANDLING AND LOGGING
Develop a process for handling bug and vulnerability reports in your software. Do you have
a centralized place to collect bug information from users? What about the application itself?
One of the best tools I’ve seen for FoxPro devs is the ErrorHandler classes which I believe
Doug Hennig created. It handled runtime errors by collecting the entire environment at the
time of the error. It allowed the user to embellish the report and send off the entire report
to a preconfigured email address. It is pretty sweet. A modern process might post it to your
company’s Slack channel or send a message via Twilio to notify the end user. Whatever it is,
define the process. Be sure to scrub any sensitive information before submitting that
report, like PII that might have been stored in a memory variable.
Once you get a bug report, you need to investigate the “root cause” of that incident to
determine why it happened. “It works on my machine” is an unacceptable response here.
This is difficult to do without having the information collected by the tool above. If your
systems have good audit logging (CIS Control 8!) you may be able to review those to help
determine externalities that contributed to the problem, like what other apps were running
at the time. The more you log the better, so log failures and successes of important

15.
VFP and IT Security
Copyright 2022, Eric Selje Page 15 of 18
milestones. Log not just errors but validation failures, logins, logouts. If you forward your
SysMon logs as well as all of the other events in your application to a centralized location,
the big picture becomes clearer. Use those skills you learned watching CSI to really get to
the bottom of problems when the occur. Lastly you need to document all of this so the next
time it happens you’re not starting from square one.
DATABASE SECURITY
If you’re using DBF files without a DBC, database security is essentially impossible because
it’s necessary for the end user to have read-write access to the DBF files via the file system.
I’ve seen attempts to manipulate file system attributes after a user successfully logs in, but
this is easily exploited by opening the application and then opening the DBFs.
Even if you are using a DBC, security is more complicated than if you use a client-server
database like MySQL or SQL Server. There are ways to mitigate this issue to prevent a user
from trying to open the tables with a utility that can read Fox tables and reading, changing,
or deleting data.
Use BeforeOpen() event to check for certain conditions, as mentioned above. It might even
request the user to reauthenticate if its not the application that opened the database.
PROCEDURE BeforeOpen
LOCAL lReturn
lReturn = PEMSTATUS(_VFP, “oUser”, 5) AND VARTYPE(_VFP.oUser.CanOpenDatabase)
RETURN lReturn
In this sample code, I’m checking for the existence of an oUser instance stored in my
application object, and if it’s there whether it has rights to open the database. This is
simplified and assumes a developer can instantiate that oUser object properly (perhaps it
has an Authenticate() method that requests for credentials as defined above?). It’s not
enough to assume that, because the person is using the development version of FoxPro
then they are authorized to open the database – authenticate it every time.
In either DBC or client-server databases, the “safest” way to manipulate data into the
database is through parameterized stored procedures. Allowing CRUD statements directly
in the code opens up the possibility of data manipulation and SQL injection if it’s not
properly scrubbed. Stored procedures also allow you to quickly implement authorization
changes as well. E.g., if it’s determined that a certain group of users should not be able to
delete data, a quick validation check at the beginning of the stored procedure that deletes
data can be implemented.
If you’re using a client-server database, do not store connection strings in your database or
your code. If the credentials to access your database changes it will require you to deploy a
new file or build to every instance of your application. Instead create a way to store the
(encrypted) configuration file on the server itself and retrievable when needed via a web
service or the networked file system.
Web Apps
If you’re developing web applications, or even using the WebView2 control in Visual
FoxPro, be aware of the OWASP Top 10. If it’s been a while since you’ve reviewed them,

16.
VFP and IT Security
Copyright 2022, Eric Selje Page 16 of 18
they do get updated so check out this website that’s full of good security advice regarding
avoiding XSS, XSRF/CSRF, SQL Injection, and more.
Source Control
 Use it.
 But don’t use it to store any sensitive information because source code leaks
happen. Store configuration information as mentioned in the previous section.
Restrict who has access to your source code repositories. E.g. if you opened it up to a
3rd party, like a contractor, be sure to revoke that access when they move on. You
can have the best IT Security Policies, but if a contractor gets compromised it won’t
matter.
 Push early and often. If you use VFPX’s Project Explorer you can have the source
code pull, commit, and push automatically. There are other tools in VFP that do this
as well without using Project Explorer but do yourself a favor and just use Project
Explorer.
Testing
The best time to begin writing unit tests for your application was before it was even
written. The second-best time is now. Unit tests help determine if any changes you made to
your code are likely to make your functions and methods return a different value than you
expect them to. FoxUnit is available to help you do this dynamic code analysis effectively.
While not a security tool, The Code Coverage Analyzer tool can tell you if you are shipping a
lot of unused code. This tool is not automated however, and I’m not aware of any coverage
tool that would be good for including in a true software development lifecycle.
Visual FoxPro also doesn’t come with a good tool for doing static code analysis to find
security flaws as part of its IDE. The CodeAnalyst project in VFPX can find coding smells
and weaknesses but isn’t focused on security (yet). It is written to be extensible however,
so well-written additions could be submitted to find flaws that a regular static code
analyzer might, such as code that could lead to SQL Injection, unchecked parameter typing,
or even cross-site scripting if you use WebView2 in your app.
If you have the resources, have a 3rd party test your code not only to make sure that
everything is working as expected, but also that nothing breaks if the tester does something
unexpected like putting nonsense values into fields, closing windows “prematurely“, and do
other random craziness. I think it goes without saying these days that a good data
protection policy [CIS Control 3!] says we never test on live data. I know that I’m certainly
guilty of not doing that in the past so I’m just going to add that here.
Deployment
Once we release the app to our client, our security journey continues. Does the application
use .DBF stored on the network? If so then it’s likely that the network uses the Server
Message Block (SMB) protocol. The NSA discovered a bug in Version 1 of this protocol that
allowed an attacker to take control of another PC by sending specially crafted packets. They

17.
VFP and IT Security
Copyright 2022, Eric Selje Page 17 of 18
didn’t tell anyone about this bug, including Microsoft who could have fixed it, because they
were using it themselves and didn’t want it fixed. When the NSA itself was hacked in 2016
by the Shadow Brokers group, the code (as well as tools that exploited many other
previously unknown vulnerabilities) got into the hands of hackers who quickly exploited it.
Doesn’t it make you WannaCry?
When you do upgrade SMB though you may have some speed issues. Turning off
Opportunistic Locking seems to fix the issue.
Code Signing
Code Signing is a way to verify that the EXE that you deliver actually came from you and
hasn’t been tampered with. It doesn’t at all mean the code is safe or well-written; A virus
could be signed but is less apt to be since its origins are more easily traceable if it is signed.
From its inception Windows has never required EXEs to be signed but starting with
Windows 11 2H22 there will be a “Smart App Control” feature that tell Windows to only
run applications that have been signed. Smart systems administrators will enable that
feature, which will disable your non-signed application so now is the time to start this
practice.
5: A signed application's properties vs. an unsigned application's
We can sign our application using Microsoft’s SignTool utility that comes with the Windows
SDK. Doug Henning (there’s that name again!) wrote a whitepaper on the details on how to
do that, but the gist of it is:
1. Get a certificate from a genuine certificate authority. This will cost money.
2. Install that certificate in your Windows certificate store.
3. Export the private key.
4. Use SIGNTOOL to add the sign your EXE.

18.
VFP and IT Security
Copyright 2022, Eric Selje Page 18 of 18
Code Encryption
Visual FoxPro’s EXEs have a weakness: if someone really wanted to, they could decompile
the EXE back into its component source code using a tool like Jan Brebera’s ReFox. And the
solution is also ReFox, which can encrypt your application so much that even ReFox can’t
decrypt it.
John Ryan’s Virtual FoxFest session on “Securing VFP Applications Against a World of
Hackers” will have more information about securing your source code and includes
information about Chen’s C++ compiler for Visual FoxPro, which is the ultimate in Visual
FoxPro code protection and performance.
Automate All of This
Because humans are fallible and likely to omit steps, the safest way to consistently check
your code into source control, run static and dynamic tests on the new code, compile,
encrypt, sign, and deploy your code is to automate the whole process. This process is
DevOps. A few years ago I did a (now very dated) session on continuous integration in
Visual FoxPro using Jenkins, but be sure to check out Joel Leach’s new session on “DevOps
with Visual FoxPro” and be sure to incorporate these Security tips here to make DevSecOps.
Conclusion
I’ve introduced you to the 18 CIS Controls that guide a good IT Security program, and the
OWASP Secure Coding Practices. These are just two of the many frameworks designed to
help you become a more security-conscience developer.
There’s a lot to take in here, and I didn’t even get into all of the policies and procedures that
cybersecurity pros have to write, maintain, get approved, published, acknowledged, and
then cyclically review.
It can be tedious, and I have become discouraged about the state of IT Security in general
because there really is a large attack surface and a seemingly endless supply of nefarious
crackers trying to exploit any weakness. While cybersecurity may seem like greener grass, I
very much preferred being a developer.
So I guess in conclusion my ultimate goal for this session was to raise your awareness of
security issues while also discouraging you from being a cybersecurity professional.
i
Common Vulnerabilities and Exposures. See www.cve.org for a searchable database