Top 25 Most Dangerous Programming Mistakes

HB120 · January 14, 2009, 12:00am

I suppose you could be right, but many beginning programmers are searching the web for answers every day. Wouldn’t this be a good blog for them to stumble upon?

Do a quick search on Google for yourself? This post shows up as #9…

http://www.google.com/search?q=programming+mistakes

I think you might be over estimating the skill of the readers of this blog. I doubt that Jeff has 122K subscribed expert developers (you can start by adding me to the non-expert list). Even then, an occasional reminder list like this never hurts.

This list contains no brainers for some of us, but most of these security holes aren’t because a developer doesn’t know HOW to defend against it, but instead that he doesn’t know that he even NEEDS to defend against it.

ChrisR · January 14, 2009, 12:00am

21 specially true for .net apps, lol

Mohit_Nanda · January 14, 2009, 12:00am

Client-Side Enforcement of Server-Side Security

I loved the sound of it. Plus yeah it is one of the major causes for security breaches.

Damn all the sites that use only Javascript validations.

Steve_O40 · January 14, 2009, 12:00am

@HB

I don’t think that ANY blog, or most web resources for that matter, is a good resource for a beginning programmer. Some may disagree, but I think that there is never the comprehensive knowledge gained from a good, peer reviewed, book on whatever topic it may be. This page is no different - however entertaining it may be.

Long Live The Book.

Steve · January 14, 2009, 12:00am

You forgot one: Don’t divide by zero.

The rapid climb to infinity (or descent into negative infinity) is a total bummer.

Rob · January 14, 2009, 12:00am

@Steve-O:

Too many books have these mistakes in them, some because it adds too much code, some because they were just plain dumb and put them there.

CB11 · January 14, 2009, 12:00am

This list proves why coding for the web is far more complicated than desktop programming.

Bimal · January 15, 2009, 12:00am

Nice points for the UI developer. Worth good… thanks…

Phil · January 15, 2009, 12:00am

It’s a bit more specific than the title suggests: the descriptions analyze these mistakes for security’s sake, not covering other aspects.

Example: race conditions are dangerous for your application for a number of reasons even if you are running in a completely isolated environment.

tomma · January 15, 2009, 12:00am

@frangiplasticator

Well chief, yes I am scared… because I want to put wholesale fixed income banking on the net. Not some retail bull. Full on trading-floor-class execution capability. But a top 25 list of holes, essentially amounting to immaturity in the infrastructure, mean that I will stay with proprietary, hard coded shrink wrapped apps which give me the control I need.

Wish it wasn’t so.

frangiplastica1 · January 15, 2009, 12:00am

@tomma what are you on about? Developing any real commercial application is hard, and no matter what you do, you need to take security into account. At the very least done do any boneheaded things.

These rules aren’t only applicable to web apps. You sound like a scared bank employee that still thinking that ‘only if this web thing catches on we’ll create an internet banking site.’

Just remember, the only safe application is the one that doesn’t do anything.

Security is as much about not doing the wrong thing as it is about doing the right thing. You don’t need to be perfect, just don’t do something stupid.

AlexOD · January 15, 2009, 12:00am

I concur with Mark on Jan 13, after 20 years of programming I would put among the horrors and dangers things like

Setting output enable before output register is in known state.
Not using volatile keyword on hardware registers
Insufficient headroom between buffer full and buffer high water mark.
Improper debounce of key inputs
badly scaled ticker interrupts

When you have 2Kbytes for code and less for RAM you start seeing a very different world.

Alex

Rulas · January 15, 2009, 12:00am

#1 apply for general sofware development… the others are focused on web developmnet…maybe the post’s title should be different.

Good post!

JakubN · January 17, 2009, 12:00am

Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work by Gary McGraw

http://www.informit.com/articles/article.aspx?p=1322398

BM1 · January 17, 2009, 12:00am

To me Javascript should only be used for non-security related web apps. Use PHP for security measures and include tons of validation. The PHP reference I have says to never trust the user’s imput. That’s what I go by.

BM11 · January 17, 2009, 12:00am

You can take care of cookies problem by using IP verification or encrypting cookies forcing them through encrypted channels.

Nicholas · January 19, 2009, 12:00am

I’ve added this in my bookmarks! Very nice top 25! Must read for all young developers

Alex · April 28, 2009, 12:00am

One of the worst mistakes a manager can do is to hire a sloppy developer who does not consider it his responsibility to write secure code. From my experience it’s pretty much black and white. If the developer is bad from the beginning don’t let him stick around, find a new one. Bad habits die hard.

supras · July 29, 2009, 12:00am

take care. in case more erros appear.

Jon · February 6, 2010, 12:00am

Nice list, but it’s mostly useless to me because I don’t program web pages that need to be secure.

I think making the title specific, like 25 worst web security mistakes would have been better.