Comments

One response to “Dangerous coding errors revealed”

1. 2009/01/14

   Simon

   The SANS institute page ( http://www.sans.org/top25errors/ ) on this seems to me to be focusing on liability, and contract. The errors are just a guide for those purposes.

   I agree liability is part of the problem, in that most common software vendors take no, or very little liability for errors in their code. Of course the fix for that involves paying more for the software (at least till we have an environment and set of tools that support security more readily).

   I don’t buy the experienced/inexperienced statements. I suspect I know more about these issues than a number of the experienced programmers I know. Or at least I see them making these mistakes again and again, when I know how they can be avoided.

   This week alone (and I’ve only done one day of work!) – failure to use failure to validate input (Perl Taint could have been used), failure to preserve SQL structure. I’ve hit failure to preserve OS command structure (I think Unix shell globbing is just too complex for mere mortals like me – or possibly the content of file names is too liberal – banning space, colon, semicolon, quote marks, and unprintable characters from file names would work around a lot of shell script bugs!).

   Whatever we think of those involved – they didn’t lack experience or IQ points. Possibly the wrong selection of tools, and failure exchange experience with others, and a failure to expose code to proper review and testing.

   So yes, I could write more secure code than I do, who wants to pay me to do it?

   Reply