I would have thought failing to check for error is the most common and most dangerous of all errors
char * p = malloc (100)
strcpy(p, THis will crash at times but not always);
or
File = OpenFile(Sometimes i’am locked and will throw exception);
After coding for more than 10 years, no-error-check-assume-everything-is-fine style of coding mostly done out of pure hubris or laziness come at the top of my list
The danger from these sort of mistake is that, you cannot prove it to be a mistake unless you actually catch the potential error to be happening, you cannot find the error unless you review the code and it is most often not reproducable.
Fixing this style of coding requires to add new blocks / failure handling and other hard stuff which is almost equal to recreating the entire code. Hence it is also almost the hardest to fix depending on the original code quality.
Here is my list -
http://computinglife.wordpress.com/2008/06/03/what-really-is-bad-code-levels-of-bad-ness/
Except that about half of those mistakes apply to all programs, not just web-based ones. E.g. buffer overflow, unconstrained input, etc.
- incorrect use of blockquotes
- incorrect use of blockquotes
I would like to remind anyone to NOT fix those bugs if you stuble upon them, at least not before the next UI change 
But, really, it seems to me that a lot of the problems result from to little abstraction.
Speaking from the perspective of a typical web app:
-
There are frameworks to describe forms (which also care for i18n in some cases), which would even make life easier if security was no concern.
No need to reinvent the wheel badly anytime you stumble upon a please enter your birthdate-field. You get a DateTime-Object or an Exception. -
Who the hell uses plain SQL? Are we still in the 80s? Any ORM i’ve seen until now takes care of this (and anyone i met who claims he wasn’t using an ORM was in fact implementing a bad one ad hoc).
-
Again, why are we tinkering to get a string, to send it to the shell to interpret it again instead of just using a command in our language?
-
That one just cries PHP ;). Again, in my opinion a in well designed environment there is a big difference between returning something (e.G. stuff in a template) and raising an error (e.G. raising an exception).
As i said, just from the perspective of webapps, but i guess, as long as the majority just says ha, those idiots, they obviously do not have the discipline i have instead of advancing toolwise, i doubt it will get any better.
From my experience, all of these get much more complicated when you are translating between Windows-1252 and UTF-8.
But that is a whole 'nother can of worms.
check out following url? does it make sense?
http://naveedslote.blogspot.com/2009/01/top-25-most-dangerous-programming_13.html
Note that item 16 nests funny under item 15 in Google Chrome… Theres a missing blockquote tag.
Inherently Insecure Operating System: For servers only use BSD/Linux based systems.
Oh, Brother! what happened to top 5 or even top 10?
Top 25?? This is enough to discourage anybody, such as myself, from venturing into online site-building for serious applications, such as finance. This is a walking advertisement for the massive insecurity of cloud computing. Is it any wonder that despite Web 2.0, and the imminent Web 3.0, most serious financial research is still distributed as stone age PDFs? Can’t wait for IP addresses to be tied to real people IDs. That’s how we’ll get rid of these issues in one fell swoop.
Good list.
For input and data validation, I recommend a principle of constrain, reject, and sanitize (this is to emphasize the whitelist over blacklist approach) I also like to frame the validation as check for length, range, format, and type.
I saw too lazy to read it from original website, thanks for summarizing it ( I am no web developer!)
@jheriko:
For managed languages, the VM is supposed to take care of the memory and make sure no other application can get access to your data. You can try overwriting your data just to be a tiny little bit more safe, but it is ineffective even without garbage collection (i.e. it might end up in the swap file).
But note that this talks about resources in general. This includes things like temporary files or tcp ports etc. that those managed languages manage not much more than the normal C languages…
@CB:
Far more complicated? 23 of those 25 apply to desktop. All 25 if you use HTML help or HTML for marshaling.
Since this list is also discussed on StackOverflow (http://stackoverflow.com/questions/438073), what do you think of the fact they do not mention Improper Exception Management ? (as in http://homepage.mac.com/jimothy/articles/exceptions/horrorStories.html)
I tried to illustrate that with Joel’s vision of exceptions (http://stackoverflow.com/questions/438073#438230)… but the comments are not in favor of that goto in disguise criticism
What do you think ? Should Exception management be part of that list ?
The irony here is that the day this article came was posted to USA today, the CWE site was down hard! They couldn’t handle the linked traffic from USA Today. Funny, plain old capacity planning didn’t make the list.
I suppose being down isn’t dangerous…
http://www.usatoday.com/tech/news/computersecurity/2009-01-12-coding-flaws-hackers_N.htm?csp=usat.me
the amazing thing here is not the list, the list is self-evident and nominally trivial; the amazing thing is that people are reacting to this list like it is some kind of stunning revelation from the gods!
Funny you say that because at one point or another, you didn’t know any of these either… It’s lists like these that inform the uneducated masses and help move the web along inches at a time…
- Download of Code Without Integrity Check
Not really a programming error.
@HB
Funny you say that because at one point or another, you didn’t know any of these either… It’s lists like these that inform the uneducated masses and help move the web along inches at a time…
But something like this is preaching to the choir. A very large portion of the people reading this blog already know these things. The uneducated masses as you call them, aren’t reading this blog. I’m not saying it’s a bad to post the list, but I think you are overexaggerating it’s usefulness.