CWE/SANS TOP 25 Most Dangerous Programming Errors
4 views
Skip to first unread message
Jeffrey Walton
Feb 19, 2009, 1:41:27 PM2/19/09
to Crypto++
http://www.sans.org/top25errors/
A bit old (in case anyone has seen it). But I like that vendors are
held responsible:
Buyers will require that software vendors certify
in writing that the code they are delivering is free
of these 25 programming errors. Certification shifts
responsibility to the vendor for correcting the errors
and for any damage caused by those errors.
Dillon Beresford
Feb 19, 2009, 2:45:17 PM2/19/09
to Jeffrey Walton, Crypto++
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff,
I was going through mail and saw this one. Secure code is always a
good topic and an even better practice sense we all know what happens
when the stack is taken advantage of. It's amazing that yet we have so
many security related products in the market we have yet to see one
solution that covers every threat wrapped up into one package.
I know your going to get a kick out of this one.
If we have plug-in for anti-virus software that scans outlook for
malicious attachments then why not a plug-in that runs inside visual
studio and scans for potential code vulnerabilities. I know what your
thinking... We already do! The compiler tells us. Sadly people are
lazy which is what this comes down to. Maybe if we put up a big alert
symbol that says something along these lines, stop your code is
vulnerable! I cannot let you compile this crap that you call code. We
could even add the sound of a squealing pig ever time we find a
potential buffer overflow. Ha! Code it up Jeff w00t!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJnbbNRnxC5lZRuuERAqXSAKCjvF+N13D2NZTQl0WYsHC61usrAwCgncNS
PvbnpXZmoTv0/7nXS8TBq3Y=
=jemG
-----END PGP SIGNATURE-----
Hash: SHA1
I was going through mail and saw this one. Secure code is always a
good topic and an even better practice sense we all know what happens
when the stack is taken advantage of. It's amazing that yet we have so
many security related products in the market we have yet to see one
solution that covers every threat wrapped up into one package.
I know your going to get a kick out of this one.
If we have plug-in for anti-virus software that scans outlook for
malicious attachments then why not a plug-in that runs inside visual
studio and scans for potential code vulnerabilities. I know what your
thinking... We already do! The compiler tells us. Sadly people are
lazy which is what this comes down to. Maybe if we put up a big alert
symbol that says something along these lines, stop your code is
vulnerable! I cannot let you compile this crap that you call code. We
could even add the sound of a squealing pig ever time we find a
potential buffer overflow. Ha! Code it up Jeff w00t!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJnbbNRnxC5lZRuuERAqXSAKCjvF+N13D2NZTQl0WYsHC61usrAwCgncNS
PvbnpXZmoTv0/7nXS8TBq3Y=
=jemG
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages