As programmers we should always be learning, it's inherent in the ecosystem the we work and live in... so for todays lesson may I present the Top 25 Most Dangerous Programming Errors.
(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
OK - I stretched the truth a bit - it will take more than a day to read through these Top 25 (the PDF is 38 pages long).
Thankfully though a PDF does exist to be downloaded - which mean you can throw it onto your iPhone/iPod Touch for later reading if required!
The document is interesting in and of itself for the way the "errors" have been categorised. The three high level categories are
- Insecure Interaction Between Components
- Risky Resource Management
- Porous Defenses
Some of these are more focused on web based applications, like "CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') " and "CWE-352: Cross-Site Request Forgery (CSRF) " but all of them have application to the software we right everyday.
If you're not up to it and think this is all boring stuff because your software is perfect then prove yourself right - read just a few of these each day and you'll be able to congratulate yourself on the magnificent work you've done. If you find out something new you win as well, because you get to improve your software.
Load the PDF onto something useful and portable so that the next time you've got a few minutes to spare (waiting in a queue, in Taxi, at the Airport, you get the idea).
I've been described as a lost technocrat or a wondering luddite, personally I just like everything that takes us forward.