# Monday, March 02, 2009

Programmers make mistakes, we all know that. But some are worse than others. Say you hardcode a file name, and you make a typo in the name. When you do your own testing before passing it off to others, you'll discover the typo because it keeps the application from working. But if you fix the typo, there's a good chance no-one will notice the other mistake - hardcoding the file name - for a very long time. In fact, if the file never moves, under some circumstances you could claim it isn't even a mistake to hardcode the name. But if the file does move, hardcoding the name is a much worse mistake because it causes a bug that a customer discovers - and that is always bad. Writing your data access code so it brings back the wrong records (say, forgetting to filter by date) will show up the minute you hit F5, but writing your data access code so it's vulnerable to SQL injection is far worse - you'll think the application works, but when you put it into production you'll have opened a large hole into your database for bad guys.

The SANS Institute has created a list of what they consider to be the 25 most important programming errors of all time. There's a lot not to like in this list, to be honest. First, it's not so much a list of errors (John typed this line of code in that application) as it is kinds or categories of errors. Second, a lot of them look like the same error over and over (trusting stuff that people give you as input, for example). Third, the post spends pages and pages on credits, acknowledgements, explaining why they are important, predicting how the world will be made better by this list existing, and so on before finally getting to the errors. Fourth, the names are flat-out weird in a lot of cases. But with those disclaimers in mind, I still think the post is worth reading and the errors are worth thinking about. Here are the 25:

  • Improper Input Validation
  • Improper Encoding or Escaping of Output
  • Failure to Preserve SQL Query Structure (aka 'SQL Injection')
  • Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
  • Failure to Preserve OS Command Structure (aka 'OS Command Injection')
  • Cleartext Transmission of Sensitive Information
  • Cross-Site Request Forgery (CSRF)
  • Race Condition
  • Error Message Information Leak
  • Failure to Constrain Operations within the Bounds of a Memory Buffer
  • External Control of Critical State Data
  • External Control of File Name or Path
  • Untrusted Search Path
  • Failure to Control Generation of Code (aka 'Code Injection')
  • Download of Code Without Integrity Check
  • Improper Resource Shutdown or Release
  • Improper Initialization
  • Incorrect Calculation
  • Improper Access Control (Authorization)
  • Use of a Broken or Risky Cryptographic Algorithm
  • Hard-Coded Password
  • Insecure Permission Assignment for Critical Resource
  • Use of Insufficiently Random Values
  • Execution with Unnecessary Privileges
  • Client-Side Enforcement of Server-Side Security

The full details are in the linked post and it won't take more than a few minutes to read the description of each error. Pat yourself on the back, or go do a quick code review so you can say you don't do any of these.


Monday, March 02, 2009 8:48:48 AM (Eastern Standard Time, UTC-05:00)  #