<< Eelways, Balsamic and Mint | The Client is in the Hands of the Enemy >>

2009 CWE/SANS Top 25 Most Dangerous Programming Errors

by Andrew Barber 14. January 2009 23:23

SANS/CWE The Common Weakness Enumeration (CWE) and SANS Institute (SANS) have posted the 2009 Top 25 Most Dangerous Programming Errors. As a developer who has always written code meant to be used in traditionally 'hostile' environments, it sometimes surprises me to see some of these items continue to be listed, and to continue to happen so frequently. Of course, I must admit that I probably have no place passing judgment on programmers in whose situations I have never quite been. I have never worked in a very large development shop with practically unrealistic deadlines set by management/marketing types, nor have I been in a project management position on any large-scale open-source project. Large-scale projects - whether open-source or wholly commercial - tend to have their own (often different) pressures which I absolutely can understand would lead to a desire to take shortcuts, and sometimes there is no true alternative than to work quickly, when one may prefer to work carefully.

However, I also do not want to provide excuses. Persons who write code for software are intelligent folks, by and large. They should know - or learn quickly - the many programming tricks and standards which can help them avoid these mistakes. Those who are tasked with dealing directly with management should also learn the intra-personal skills needed to assure that their teams have the time they need to develop code that is reasonably safe. One reason CWE and SANS have posted this list is to help developers hone in on these errors, and devote the time and energy to assuring that these issues do not become their issues. Software development is an art to a degree, and it is such a complex one that mistakes are probably a given in all but the simplest projects. But knowing what some of the most commonly-made and -exploited errors are should help.

As an academic exercise, I am going to cover some of these items in some upcoming entries - including noting some cases where I have struggled with them. For now, I just wanted to pass along the link to the very useful list itself.

Tags: programming, security, bugs, cwe, sans,

Computer Security | Software Development

When is Secure Code Not Secure Code?Avoiding some common security software coding mistakes which arise from a mis-guided or ill-informed...Debian GNU/Linux 5 Release Keeps Debian on TopDebian updates to version 5 after 22 months.A Few Lessons Learned as a Freelance Web DeveloperBeing a freelance software developer for micro/small business has some unique challenges, which can ...

My Twitter Feed

July 29. 18:12
Visual Studio: "Comparison made to same variable. Did you mean to compare something else? Me: "Duh yes, why thank you, Visual Studio!"

July 24. 23:05
Would like to partner with an active, security-conscious Web Dev to help each other review code for security issues.

July 23. 18:06
Bit of an ah-ha moment; Extension Methods can attach functionality to an interface. That sort-of provides multiple inheritance. Kinda

July 21. 14:21
I think it's so cool when stars (the people!) are not ashamed to be starstruck themselves.

July 20. 16:32
Wow; Actually got almost immd resp (via phone) to a msg I sent to an MS SPLA-E e-mail address regarding trouble I'm having signing up.

Follow me on Twitter

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent the views of employees, contractors or clients of Inkwell Creative Group, LLC in any way.

© Copyright 2008, 2009 Andrew Barber

2009 CWE/SANS Top 25 Most Dangerous Programming Errors

Related posts

Why Eels?

Links/Profile

My Twitter Feed

Archive/Search

2009 CWE/SANS Top 25 Most Dangerous Programming Errors

Related posts

Why Eels?

Links/Profile

My Twitter Feed

Archive/Search

Tag cloud