Reply to: Dangerous coding errors revealed

What do you mean? This is an analysis of security vulnerabilities found in the wild, not mistakes the NSA have made.

FWIW I found one of these errors (script injection vulnerability, to be precise) just before Christmas, on a prominent website owned by a well-known web entrepeneur, with people whose names I recognise as highly experienced programmers on the development team.

The same vulnerability has, at various times, affected Microsoft, Yahoo, Google, American Express, and just about every other well-known company you can think of.

Even the best developers can slip up and let one of these mistakes through.

Wot!

Who the **** are they using as programmers, 12 year olds?

tim

delete * from trade

- not a good one to try in a sql session you have kicking around thinking its a dev database, and finding out, ooh about 43 seconds later, that it wasn't

One of the biggest howlers, which many OS coders don't really understand, is failing to weaken pointers passed inside structures to core functions. If you find an example of that (and it's easy to test a function call), the whole OS is wide open.

The hardware automatically weakens pointers in the argument list when the call crosses from the user address space into the shared core address space. But there's no way it can know to delve into structures those pointers reference.

Outfits like the NSA probably keep quiet about this, as *they* exploit those weaknesses as back doors.

Probably not COBOL, PL/1, Assembler, etc. but only those new fangled kiddie script languages

There are plenty of websites that run Windows and are quite secure. Also, there are plenty of websites that run on LAMP and are hacked regularly. So no, the choice of Windows vs Linux has no place in that list (and besides, it's not a coding issue).

Well, even then it doesn't quite fit as one of the top 25 would be running windows as the OS and server the website was running on.

A more proper name for the list would be "top 25 coding errors that can lead to security problems in a website". But it wouldn't make such a good headline would it?

From the article:

Is it what happens when some kid from an Accidenture training course uses a 4GL to produce undecipherable spaghetti without actually checking the code to see if it’s any use?

I think this list starts to make sense if you are a Web front end serving up something like jsp pages (not Jackson structured programming).

For the real programming that real men do it doesn't make much sense.

Typical Yanks, all they're bothered about is putting up a good front...

CWE-3: Outsource documentation to Randy Shawadiwadi

Where are

‘CWE-1: Outsource coding to Bob Shawadiwadi’
and
‘CWE-2: Outsource functional testing to his brother Bill Shawadiwadi’?

Still, keeps us in a job eh?

Saw this at my latest client:

The try/catch block was at the outermost level in a servlet, i.e. the "do stuff" bit included the whole processing of the HTTP request.

WTF does "CWE-94:Failure to Control Generation of Code" actually mean.

You turn your back for 10 minutes and the CVS repository has doubled in size? Those one million monkeys you hired last week are writing too much code ?

Anyway I have seen so much crap code now that I am beyond caring. If people want their web system to write to flat files I really could not give a flying one these days.