Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

25 Top Computer Programming Errors Listed - And Most Will NEVER Be Fixed

10 views
Skip to first unread message

B1ackwater

unread,
Jan 15, 2009, 7:19:52 AM1/15/09
to
BBC
The US National Security Agency has helped put together a list of the
world's most dangerous coding mistakes.

The 25 entry list contains errors that can lead to security holes or
vulnerable areas that can be targeted by cyber criminals.

Experts say many of these errors are not well understood by
programmers.

According to the SANS Institute in Maryland, just two of the errors
led to more than 1.5m web site security breaches during 2008.
.
.
"The top 25 list gives developers a minimum set of coding errors that
must be eradicated before software is used by customers," said Chris
Wysopal, chief technology officer with Veracode.

"There appears to be broad agreement on the programming errors," says
SANS director, Mason Brown, "Now it is time to fix them."

"We need to make sure every programmer knows how to write code that is
free of the top 25 errors." :

CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds
of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security
- Source: SANS Institute

"Then we need to make sure every programming team has processes in
place to find and fix these problems [in existing code] and has the
tools needed to verify their code is as free of these errors," he
said.

- - - - - -

Won't happen.

Like many, programmers are afflicted with DEADLINES
and BUDGET CONSTRAINTS and IDIOTIC POINTY-HAIRED BOSSES
and the annoying fact that there are only 24 hours in
a day. Oh, and competitors are working hard too ...

So - Version 3.00 or Vista or whatever *will* be pushed
out the door by the date the department manager SAYS it
will - even if it's buggy CRAP - because lots of MONEY
and PRESTIGE are involved. Only THEN can half-hearted
work begin on the service paks ..... but most of the
team will be shifted to work on version 4.00 .......

CWE-119 in particular seems to be the bane of Windows
operating systems. Most of the hacks over the past
years have involved over-stuffing memory buffers in
order to cause a fault or get evil data past the
code meant to block it.

Alas there's ANOTHER pressing reason why to ignore some
of the 'rules' suggested above - because they can make
programs/systems almost IMPOSSIBLE for the average Joe
to actually USE. Layers of bulletproof uncircumventable
security means passwords scrawled on desks and cubicle
walls ... or just a PC sailing out the 17th-floor window.

Enough security to keep out hacks often means enough
security to keep out EVERYBODY ... and, really, there
doesn't seem any good way around that. Everyone's tried,
for years, decades .... and it's kind of an either/or.
You either get "user friendly" or you get "secure".

This may be an inescapable fact - and the future uses
of computers have to take that into account - and
perhaps be limited by it. Mega-info systems ... like
Obamas proposed universal medical-history network ...
ARE gonna be hacker havens - and your private info
WILL be stolen, bought, traded and exploited. The
upshot ... we can't HAVE those kinds of systems even
IF they seem like a good thing - kinda like how you
can't have the atomic-powered Edsel they promised
everyone back in the 50s ......

zzbu...@netscape.net

unread,
Feb 3, 2009, 11:58:36 PM2/3/09
to

Well, that's mostly because the Lawyers are still mostly
exactly the same
technological ignoramus' as they were in the 50s. All GM 24
Hours a Day,
7 Days a Week.

But, what most of the idiots don't seem to understand about
2000s computers is that
*Optical Computers* never were and never will be *NUCLEAR*
*anything*.

And that GPS, Fiber Optics, CD, DVD, HDTV, Robots, Digital-
Terrain Mapping, Drones,
Pv Cells, Mini-HardDisks, RISC Processors, Parallel
Processors, Holograms,
USB, XML, Laser Printers, On-Line Publishing, and Autonomous
Vehicles
don't really care all that much about a 1950s Interstate
Highway System.


0 new messages