*
programming and human factors
by Jeff Atwood
*
I don't usually do news and current events here, but I'm making an exception for the CWE/SANS Top 25 Most Dangerous Programming Errors list. This one is important, and deserves a wide audience, so I'm repeating it here -- along with a brief hand-edited summary of each error.
If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're not familiar with, or that piques your interest.
Ensure that your input is valid. If you're expecting a number, it shouldn't contain letters. Nor should the price of a new car be allowed to be a dollar. Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today's most common vulnerabilities can be eliminated, or at least reduced, with strict input validation.
Insufficient output encoding is at the root of most injection-based attacks. An attacker can modify the commands that you intend to send to other components, possibly leading to a complete compromise of your application - not to mention exposing the other components to exploits that the attacker would not be able to launch directly. When your program generates outputs to other components in the form of structured messages such as queries or requests, be sure to separate control information and metadata from the actual data.
If attackers can influence the SQL that you send to your database, they can modify the queries to steal, corrupt, or otherwise change your underlying data. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security.
Cross-site scripting (XSS) is a result of combining the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you -- because, after all, it did come from you! Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man.
Your software acts as a bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, and you allow untrusted inputs to be fed into the command string, you are inviting attackers into your operating system.
Information sent across a network crosses many different nodes in transit to its final destination. If your software sends sensitive, private data or authentication credentials, beware: attackers could sniff them right off the wire. All they need to do is control one node along the path to the final destination, any node within the same networks of those transit nodes, or plug into an available interface. Obfuscating traffic using schemes like Base64 and URL encoding offers no protection.
Cross-site request forgery is like accepting a package from a stranger -- except the attacker tricks a user into activating a HTTP request "package" that goes to your site. The user might not even be aware that the request is being sent, but once the request gets to your server, it looks as if it came from the user -- not the attacker. The attacker has masqueraded as a legitimate user and gained all the potential access that the user has. This is especially handy when the user has administrator privileges, resulting in a complete compromise of your application's functionality.
A race condition involves multiple processes in which the attacker has full control over one process; the attacker exploits the process to create chaos, collisions, or errors. Data corruption and denial of service are the norm. The impact can be local or global, depending on what the race condition affects - such as state variables or security logic - and whether it occurs within multiple threads, processes, or systems.
Chatty error messages can disclose secrets to any attacker who misuses your software. The secrets could cover a wide range of valuable data, including personally identifiable information (PII), authentication credentials, and server configuration. They might seem like harmless secrets useful to your users and admins, such as the full installation path of your software -- but even these little secrets can greatly simplify a more concerted attack.
The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. Attack and detection techniques continue to improve, and today's buffer overflow variants aren't always obvious at first or even second glance. You may think that you're completely immune to buffer overflows because you write your code in higher-level languages instead of C. But what is your favorite "safe" language's interpreter written in? What about the native code you call? What languages are the operating system API's written in? How about the software that runs Internet infrastructure?
If you store user state data in a place where an attacker can modify it, this reduces the overhead for a successful compromise. Data could be stored in configuration files, profiles, cookies, hidden form fields, environment variables, registry keys, or other locations, all of which can be modified by an attacker. In stateless protocols such as HTTP, some form of user state information must be captured in each request, so it is exposed to an attacker out of necessity. If you perform any security-critical operations based on this data (such as stating that the user is an administrator), then you can bet that somebody will modify the data in order to trick your application.
When you use an outsider's input while constructing a filename, the resulting path could point outside of the intended directory. An attacker could combine multiple ".." or similar sequences to cause the operating system to navigate out of the restricted directory. Other file-related attacks are simplified by external control of a filename, such as symbolic link following, which causes your application to read or modify files that the attacker can't access directly. The same applies if your program is running with raised privileges and it accepts filenames as input. Similar rules apply to URLs and allowing an outsider to specify arbitrary URLs.
Your software depends on you, or its environment, to provide a search path (or working path) to find critical resources like code libraries or configuration files. If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing.
While it's tough to deny the sexiness of dynamically-generated code, attackers find it equally appealing. It becomes a serious vulnerability when your code is directly callable by unauthorized parties, if external inputs can affect which code gets executed, or if those inputs are fed directly into the code itself.
If you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can modify that code before it reaches you. They can hack the download site, impersonate it with DNS spoofing or cache poisoning, convince the system to redirect to a different site, or even modify the code in transit as it crosses the network. This scenario even applies to cases in which your own product downloads and installs updates.
When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.
If you don't properly initialize your data and variables, an attacker might be able to do the initialization for you, or extract sensitive information that remains from previous sessions. If those variables are used in security-critical operations, such as making an authentication decision, they could be modified to bypass your security. This is most prevalent in obscure errors or conditions that cause your code to inadvertently skip initialization.
When attackers have control over inputs to numeric calculations, math errors can have security consequences. It might cause you to allocate far more resources than you intended - or far fewer. It could violate business logic (a calculation that produces a negative price), or cause denial of service (a divide-by-zero that triggers a program crash).
If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise that unauthorized functionality.
Grow-your-own cryptography is a welcome sight to attackers. Cryptography is hard. If brilliant mathematicians and computer scientists worldwide can't get it right -- and they're regularly obsoleting their own techniques -- then neither can you.
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
Beware critical programs, data stores, or configuration files with default world-readable permissions. While this issue might not be considered during implementation or design, it should be. Don't require your customers to secure your software for you! Try to be secure by default, out of the box.
You may depend on randomness without even knowing it, such as when generating session IDs or temporary filenames. Pseudo-Random Number Generators (PRNG) are commonly used, but a variety of things can go wrong. Once an attacker can determine which algorithm is being used, he can guess the next random number often enough to launch a successful attack after a relatively small number of tries.
Your software may need special privileges to perform certain operations; wielding those privileges longer than necessary is risky. When running with extra privileges, your application has access to resources that the application's user can't directly reach. Whenever you launch a separate program with elevated privileges, attackers can potentially exploit those privileges.
Don't trust the client to perform security checks on behalf of your server. Attackers can reverse engineer your client and write their own custom clients. The consequences will vary depending on what your security checks are protecting, but some of the more common targets are authentication, authorization, and input validation.
Of course there's nothing truly new here; I essentially went over the same basic list in Sins of Software Security almost two years ago. The only difference is the relative priorities, as web applications start to dominate mainstream computing.
This list of software security mistakes serves the same purpose as McConnell's list of classic development mistakes: to raise awareness. A surprisingly large part of success is recognizing the most common mistakes and failure modes. So you can -- at least in theory -- realize when your project is slipping into one of them. Ignorance is the biggest software project killer of them all.
Heck, even if you are aware of these security mistakes, you might end up committing them anyway. I know I have.
Have you?
A good reference for data validation guidelines a href=http://www.owasp.org/index.php/Testing_for_Data_Validationhttp://www.owasp.org/index.php/Testing_for_Data_Validation/a">http://www.owasp.org/index.php/Testing_for_Data_Validation/a">http://www.owasp.org/index.php/Testing_for_Data_Validationhttp://www.owasp.org/index.php/Testing_for_Data_Validation/a
Mu Li on January 13, 2009 1:01 AMabsolutely hilarious - from the mitre.com web site The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.
So I'm wondering how many highly expensive top software security expert man-hours were invested in this trivial list of obvious errors.
They could have just asked on stackoverflow.com and gotten the same or a better list in a few minutes.
the amazing thing here is not the list, the list is self-evident and nominally trivial; the amazing thing is that people are reacting to this list like it is some kind of stunning revelation from the gods!
A really good resource is The Open Web Application Security Project
http://www.owasp.org/index.php/Main_Page
Sebastian Otaegui on January 13, 2009 2:38 AMthe amazing thing here is not the list, the list is self-evident and nominally trivial; the amazing thing is that people are reacting to this list like it is some kind of stunning revelation from the gods!
Simple explanation:
Content ... hmmm...
Audience size ... hmmm...
Audience type ... HMMM... (+me)
Match!!!!!
Post!
Nothing very wrong, given the already populous knowledge bank of how to be a better programmer articles. Hey, I have my own 30 points on the internets elsewhere, but they make most sense for someone like me, but maybe not you. Maybe you could post links to articles around the web describing similar errors in well-known web or dekstop apps so that the thread becomes a bit more useful.
Like this: 15 -- http://en.wikipedia.org/wiki/Md5sum
dekstop. nit.pick();
@Serge: they can, and often do. An improperly checked return value, which almost made it onto the top 25, is behind the most recent OpenSSL vulnerability that let attackers spoof certificates. A recent Linux kernel issue involved a wrong variable in a function call. If you use a regular expression with improper anchoring, maybe you'll find that you're checking if your input contains *at least one* digit, instead of *only* digits. If you really want to dig deep into the inter-relationships between regular bugs and vulnerabilities, take a look at CWE's chains and composites.
@Kinesh: (1) is a goal of ours. (2) is a concern, but this will likely evolve into best-practice claims by the vendor like we ran security-tool X against this code, and we're clean - which is more actionable than the nothing we have today.
@silvercode: now that customers can ask what do you do about the Top 25, if it begins to affect the bottom line, your non-PHB managers will have to figure out how to make budget and training available.
@hribek: this list isn't one man said it. It's a bunch of gov't organizations, software developers, security vendors, and academics said it.
@Mark: only two items are really web-only. Other items show up all the time in web, but they apply to other classes of software, too.
@Atwood: new fanboy here. can't believe I only found your site last week while digging up more info on HttpOnly. Check out CWE-445, CWE-355, and CWE-655, you'll dig 'em. Naturally, nobody pays attention to those CWEs or their children (they're also in a messier corner of the CWE, apologies ahead of time).
Steve Christey
The MITRE Corporation
Top 25 document editor
I like the list, but two things spring to mind right away:
1. These aren't mistakes!! For instance, failure to check input to make sure it doesn't contain SQL injections ISN'T a mistake. In a world without hackers, this code would work perfectly well. In the context of programming, the program is working without mistake.
Don't get me wrong, I agree that this loop-hole that should be addressed, but rather than considering it a mistake of the programmer, consider it part of the securing of the application and therefore the responsibility of the project lead(s)/software designer(s). That is, injection blocking code can be implemented in a custom control (which extends the base controls), and therefore the programmer never needs to worry about it. It would be a mistake to use an insecure control - but that's the end of the programmer's responsibility.
2. This list is almost entirely web based or client facing software. Internal software (such as the ERP I manage) has easier security to manage because you know the specific users connecting, and you know exactly what they should have permission to and what they shouldn't. I'm not saying that the program's aren't open to these types of attacks, but their logins and activity are tracked down to the user - so the person would be fired.
Philip on January 13, 2009 5:15 AMI think #1 and #2 are the biggest problems I face in web development. People just don't get that some idiot will put his address in the 'phone' field and totally shatter the back-end if you don't validate it.
Great list Jeff.
Maximillian on January 13, 2009 6:08 AMWhoa, speaking of coding horrors! Very McConnell-ish list; i.e., excellent and required reading. Top marks, and thanks.
I deeply hate valueless comments like use Linux OSs for safety. Linux is no silver bullet of the security. Usually has a larger attack surface than Windows Server.
Andrei Rinea on January 13, 2009 6:41 AMFine list. The first item is very important, but the implementation all too often leads to usability problems with unnecessary harsh demands on input formatting. I'd like to suggest splitting it in two:
1 a: Allow all user input that can be interpreted unambiguously.
1 b: Never trust input from the client.
Ideally a system accepts today as a date input (Outlook does this) and at the same time implements vigorous validation on the server side.
The list seems to boil down to :
Check what you are given - don't assume it is valid/clean/good
Program correctly : Initialise/deallocate memory correctly
Use Really random numbers
Use descent encryption
Use a real security system
Security is based on least access : don't give anyone/anything more access/information that it needs
I think that covers all 25 points ....
Jaster on January 13, 2009 6:52 AMJeff, you are missing an end blockquote on #15 ;) good read.
Jab on January 13, 2009 6:52 AMSince my career change into programming three years ago, at age 28, I notice a whole lot of some idiot phrases, almost on the middle-school heights of usage. I wonder if you would comment on programmer egotism.
Jesse on January 13, 2009 6:53 AMHey Now Jeff,
What a great post. I'm bout to read it again.
Coding Horror Fan,
Catto
What, no pics? I thought someone had hacked your url and redirected to some other person's blog.
Justin Etheredge on January 13, 2009 6:59 AM26.) Improper nesting of HTML-Lists
Peritus on January 13, 2009 7:05 AMOddly enough, I don't see the word security in your introduction. However, the 25 listed items are ALL related to security. Does it mean that dangerous programming mistakes boils down security holes?
Serge Wautier on January 13, 2009 7:14 AMIf you work on software in any capacity
I guess you mean website software. I work on a hell of a lot of software and very little of it has any relation to this stuff :)
However, I am always dealing out bitchslaps to our web guys about these exact things. Emailed!
Mark on January 13, 2009 7:18 AMNow this is what Coding Horror is all about! (at least on the surface anyways)
Thank you Jeff. :)
Cheers
Patrick on January 13, 2009 7:25 AM@Serge Wautier: that's what makes it dangerous.
Andy on January 13, 2009 7:28 AMMore cut-n-paste please.
Cut-N-Paste on January 13, 2009 7:31 AMNice blog engine! Looks like it handles ordered lists like a champ.
Josh Stodola on January 13, 2009 7:40 AMI know I am an ass for this, but I found that thera are only 12 not promised 30 items. And even those 12 can be reduced...
1/ Improper Input Validation ... path , user input, download without integrity check
2/Untrusted Source ... similar data validation, but checks on more human level, untrusted seach path
3/Failure to Fullfil Constrains ... buffer overflow
4/Improper Initialization or Relase of Resource .... unitialized data,
5/Failure to Preserve Proper Structure ... encoding or escaping of textual data, SQL, html, control generation of code
6/Client-Side Enforcement of Server Side Security
7/Revealing Potentially Misused Infromation .... os calls in text file, cleartext transmission of sensitive data - hard coded passwords, error message information leak
8/Giving Privilegies to Access Potentially Misused Information ( their executing)... data critical to keep valid state of program, external file names,
9/Race Condition
10/Incorrect Calculation
11/Insufficent Random Values
12/Use of Weak Cryptographic Algorightms
---------------------------------------------------------------------
You can blog about this phenomena. About CcCv style of passing information. Whethre it is better to parse it on server or client side ;) ~ in other words ~ whether one must not read all that superficial crap or one can train his deciphering ability. That would be interesting !
I personally hate stuff like these lists. First, they can be reduced because author, mostly some journalist, usually lacks some knowledge. Second they don't have some believable proof other than that man said it.
These problems are logical (programmers error), syntactical, ... If one wrote such funny paper about it one should not bother even publishing it. It looks like it was made up by some hired students.
;)
26) No one forces programmers to check security vulnerabilities
27) There is no budget for forcing programmers to check security vulnerabilities
28) There is no budget for checking security vulnerabilities
29) No one checks are security vulnerabilities checked
30) There is no budget for checking are security vulnerabilities checked
31) And so on
I looked through this initiative a little more, and while the list of errors is good and reflects the opinions of many professionals, I'm a little worried what it can mean.
(1) Customers (governments, users, etc.) will now require that software companies / vendors 'certify' their code to be compliant with this list - now if there is a catastrophic mistake, the economic liability falls on the software company, not the customer.
(2) This would be fine and dandy except this list contains extremely common and hard-to-eliminate errors such as buffer overflow / memory leak, resource initialization /shutdown, etc. These are almost impossible to completely eliminate, and I really don't see how it would work.
Kinesh on January 13, 2009 7:52 AMI'd disagree with most of the criticism. The point of this shared Internet of ours isn't to find precise, or even academic, text. Just because it's redundant in some areas doesn't mean there is any fault to be found. After all, we rarely measure understanding in terms of simple mathematics, despite the fact that we can boil everything down to it.
Jeff, this post is another great one and another good sign that you'd make a great teacher/lecturer. It's not whether or not you can boil reality down to numbers and figures; it's all about sharing that information. If you've ever got an inkling to speak, give me a call.
Raymond Berg on January 13, 2009 7:56 AMA modest suggestion: How about a 'reference implementation' of a non-trivial website that explicitly follows all these rules? It would be important to note that such an implementation would -not- be guaranteed to be secure, and would be subject to regular revision-- But still, without an actual implementation, isn't this really just all yakety-yak, i.e., the security version of vaporware?
MattF on January 13, 2009 7:56 AMI quite like this one:
Improper Resource Shutdown or Release
When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.
So, how exactly do we do this when .NET, Java or etc... manage our memory for us (presumably to help defeat 10. Failure to Constrain Operations within the Bounds of a Memory Buffer)? The way I understand it, none of these garbage collection system free the resources immediately... does this mean we shouldn't use them?
Personally I think we should use them... but only because /I/ can't think of a way to exploit this feature. However the smarter attacker might...
I'm not just making this point because I want something more useful than object.Dispose() in .NET languages. Honest!! :)
I think we also need a number 16 - Relying on 3rd party libraries, tools and APIs being secure.
jheriko on January 13, 2009 7:57 AMYour description of race condition is wrong. There is no need for the attacker to have full control over one process. A race condition is merely a synchronization issue, where properly timed inputs and program execution can lead to an unexpected state of the program.
Thomas on January 13, 2009 8:00 AMRe: Drawing a web page isn't programming. Sheesh.
So you're totally okay with your bank thinking that their online banking Web site isn't programming.
Web sites have matured, sheesh. You should follow their lead.
Joe on January 13, 2009 8:10 AMI can think of a few other programming mistakes:
26. Programming without coffee
27. Flatulence in XP/paired programming practices
Charles on January 13, 2009 8:17 AM
Drawing a web page isn't programming. Sheesh.
Though I suppose even in Word you can let yourself in for some of these troubles.
sheesh on January 13, 2009 8:19 AM@Mark: keep thinking that internal software doesn't have to worry about hostile users or environments. It keeps people like me in business :)
Bill Weiss on January 13, 2009 8:31 AMI'm working on a software package that does all these things. It is a vendor application and we're not allowed to change it, but I'm really freaked out by it. For a year now, I've been saying it's not secure and buggy, and won't be reliable... and I'm afraid of what the consequences will be when I'm proven right. And it costs $1.5 million - yeah - one and a half million dollars!
Jasmine on January 13, 2009 8:37 AMAbout 18 - Incorrect Calculation...
Isn't that the same as #1? If you prevent allowing people to enter the price of a car as $1, you would also prevent them from ordering -100 quantity of an item.
Or perhaps that example in #1 should be moved to #18; call #1 validation of type and format and #18 validation of *value*.
Side note -- on the unexpected ways attackers can enter input; I remember a WinForms control that I was testing a few years ago where only 10 digits could be typed, but any length and/or type of characters could be pasted using the context menu. Lesson learned: Don't put all your validation in KeyDown!
3,4 and 5 are just the consequences of 2.
Great list though.
[)amien
Damien Guard on January 13, 2009 8:54 AMI was actually going to send you a link to this! What was I thinking lol, of course Jeff would have got this and blogged about it.
I'm still going to write a blog article about it anyway, least I'll get to do some more research.
dean nolan on January 13, 2009 8:54 AMWhat do you think about encryption with Silverlight for AJAX? I found this implementation which looks nice:
Manuel on January 13, 2009 9:20 AM#26. Breaking another software developer's copyright and terms of service, especially for use in your own commercial venture:
This is a major milestone — we’ve essentially de-obfuscated the WMD code, which was my #1 goal! - Jeff Attwood
http://blog.stackoverflow.com/2009/01/wmd-editor-reverse-engineered/
The JavaScript files provided through this service are copyright 2007 AttackLab. You are not permitted to modify, redistribute, or reverse-engineer these JavaScript files. - WMD Terms of Service
angry programmer on January 13, 2009 10:02 AMcheck http://www.dialusername.com/
nadia on January 13, 2009 10:10 AMI would have thought failing to check for error is the most common and most dangerous of all errors
char * p = malloc (100)
strcpy(p, THis will crash at times but not always);
or
File = OpenFile(Sometimes i'am locked and will throw exception);
After coding for more than 10 years, no-error-check-assume-everything-is-fine style of coding mostly done out of pure hubris or laziness come at the top of my list
The danger from these sort of mistake is that, you cannot prove it to be a mistake unless you actually catch the potential error to be happening, you cannot find the error unless you review the code and it is most often not reproducable.
Fixing this style of coding requires to add new blocks / failure handling and other hard stuff which is almost equal to recreating the entire code. Hence it is also almost the hardest to fix depending on the original code quality.
Here is my list -
http://computinglife.wordpress.com/2008/06/03/what-really-is-bad-code-levels-of-bad-ness/
computinglife on January 13, 2009 10:17 AM@Jon
Except that about half of those mistakes apply to all programs, not just web-based ones. E.g. buffer overflow, unconstrained input, etc.
grampus on January 13, 2009 10:42 AM1. incorrect use of blockquotes
1. incorrect use of blockquotes
I would like to remind anyone to NOT fix those bugs if you stuble upon them, at least not before the next UI change ;)
But, really, it seems to me that a lot of the problems result from to little abstraction.
Speaking from the perspective of a typical web app:
1. There are frameworks to describe forms (which also care for i18n in some cases), which would even make life easier if security was no concern.
No need to reinvent the wheel badly anytime you stumble upon a please enter your birthdate-field. You get a DateTime-Object or an Exception.
3. Who the hell uses plain SQL? Are we still in the 80s? Any ORM i've seen until now takes care of this (and anyone i met who claims he wasn't using an ORM was in fact implementing a bad one ad hoc).
5. Again, why are we tinkering to get a string, to send it to the shell to interpret it again instead of just using a command in our language?
9. That one just cries PHP ;). Again, in my opinion a in well designed environment there is a big difference between returning something (e.G. stuff in a template) and raising an error (e.G. raising an exception).
As i said, just from the perspective of webapps, but i guess, as long as the majority just says ha, those idiots, they obviously do not have the discipline i have instead of advancing toolwise, i doubt it will get any better.
keppla on January 13, 2009 11:10 AMFrom my experience, all of these get much more complicated when you are translating between Windows-1252 and UTF-8.
But that is a whole 'nother can of worms.
Practicality on January 13, 2009 11:39 AMcheck out following url? does it make sense?
http://naveedslote.blogspot.com/2009/01/top-25-most-dangerous-programming_13.html
abc on January 13, 2009 11:52 AMNote that item 16 nests funny under item 15 in Google Chrome.... Theres a missing blockquote tag.
Corey Stup on January 13, 2009 12:30 PMInherently Insecure Operating System: For servers only use BSD/Linux based systems.
Brian on January 13, 2009 12:44 PMOh, Brother! what happened to top 5 or even top 10?
Top 25?? This is enough to discourage anybody, such as myself, from venturing into online site-building for serious applications, such as finance. This is a walking advertisement for the massive insecurity of cloud computing. Is it any wonder that despite Web 2.0, and the imminent Web 3.0, most serious financial research is still distributed as stone age PDFs? Can't wait for IP addresses to be tied to real people IDs. That's how we'll get rid of these issues in one fell swoop.
tomma on January 14, 2009 1:07 AMGood list.
For input and data validation, I recommend a principle of constrain, reject, and sanitize (this is to emphasize the whitelist over blacklist approach) I also like to frame the validation as check for length, range, format, and type.
J.D. Meier on January 14, 2009 1:45 AMI saw too lazy to read it from original website, thanks for summarizing it ( I am no web developer!)
SV on January 14, 2009 2:26 AM@jheriko:
For managed languages, the VM is supposed to take care of the memory and make sure no other application can get access to your data. You can try overwriting your data just to be a tiny little bit more safe, but it is ineffective even without garbage collection (i.e. it might end up in the swap file).
But note that this talks about resources in general. This includes things like temporary files or tcp ports etc. that those managed languages manage not much more than the normal C languages...
@CB:
Far more complicated? 23 of those 25 apply to desktop. All 25 if you use HTML help or HTML for marshaling.
Since this list is also discussed on StackOverflow (http://stackoverflow.com/questions/438073), what do you think of the fact they do not mention Improper Exception Management ? (as in http://homepage.mac.com/jimothy/articles/exceptions/horrorStories.html)
I tried to illustrate that with Joel's vision of exceptions (http://stackoverflow.com/questions/438073#438230)... but the comments are not in favor of that goto in disguise criticism ;)
What do you think ? Should Exception management be part of that list ?
VonC on January 14, 2009 5:00 AMThe irony here is that the day this article came was posted to USA today, the CWE site was down hard! They couldn't handle the linked traffic from USA Today. Funny, plain old capacity planning didn't make the list.
I suppose being down isn't dangerous...
http://www.usatoday.com/tech/news/computersecurity/2009-01-12-coding-flaws-hackers_N.htm?csp=usat.me
My apologies to CWE, USA Today was linked to a different site...
http://www.sans.org/top25errors/#s4
@irrelevant
the amazing thing here is not the list, the list is self-evident and nominally trivial; the amazing thing is that people are reacting to this list like it is some kind of stunning revelation from the gods!
Funny you say that because at one point or another, you didn't know any of these either... It's lists like these that inform the uneducated masses and help move the web along inches at a time...
HB on January 14, 2009 6:23 AM15. Download of Code Without Integrity Check
Not really a programming error.
Joe Beam on January 14, 2009 7:55 AM@HB
Funny you say that because at one point or another, you didn't know any of these either... It's lists like these that inform the uneducated masses and help move the web along inches at a time...
But something like this is preaching to the choir. A very large portion of the people reading this blog already know these things. The uneducated masses as you call them, aren't reading this blog. I'm not saying it's a bad to post the list, but I think you are overexaggerating it's usefulness.
@Andrew
I suppose you could be right, but many beginning programmers are searching the web for answers every day. Wouldn't this be a good blog for them to stumble upon?
Do a quick search on Google for yourself? This post shows up as #9...
http://www.google.com/search?q=programming+mistakes
I think you might be over estimating the skill of the readers of this blog. I doubt that Jeff has 122K subscribed expert developers (you can start by adding me to the non-expert list). Even then, an occasional reminder list like this never hurts.
This list contains no brainers for some of us, but most of these security holes aren't because a developer doesn't know _HOW_ to defend against it, but instead that he doesn't know that he even _NEEDS_ to defend against it.
HB on January 14, 2009 9:16 AM21 specially true for .net apps, lol
Chris Richner on January 14, 2009 9:49 AMClient-Side Enforcement of Server-Side Security
I loved the sound of it. Plus yeah it is one of the major causes for security breaches.
Damn all the sites that use only Javascript validations.
Mohit Nanda on January 14, 2009 10:08 AM@HB
I don't think that ANY blog, or most web resources for that matter, is a _good_ resource for a beginning programmer. Some may disagree, but I think that there is never the comprehensive knowledge gained from a good, peer reviewed, book on whatever topic it may be. This page is no different - however entertaining it may be.
Long Live The Book.
Steve-O on January 14, 2009 10:26 AMYou forgot one: Don't divide by zero.
The rapid climb to infinity (or descent into negative infinity) is a total bummer.
Steve on January 14, 2009 10:29 AM@Steve-O:
Too many books have these mistakes in them, some because it adds too much code, some because they were just plain dumb and put them there.
Rob on January 14, 2009 10:57 AMThis list proves why coding for the web is far more complicated than desktop programming.
CB on January 14, 2009 12:34 PMNice points for the UI developer. Worth good... thanks..
It's a bit more specific than the title suggests: the descriptions analyze these mistakes for security's sake, not covering other aspects.
Example: race conditions are dangerous for your application for a number of reasons even if you are running in a completely isolated environment.
Phil on January 15, 2009 1:11 AM@frangiplasticator
Well chief, yes I am scared.... because I want to put wholesale fixed income banking on the net. Not some retail bull. Full on trading-floor-class execution capability. But a top 25 list of holes, essentially amounting to immaturity in the infrastructure, mean that I will stay with proprietary, hard coded shrink wrapped apps which give me the control I need.
Wish it wasn't so.
tomma on January 15, 2009 1:16 AM@tomma what are you on about? Developing any real commercial application is hard, and no matter what you do, you need to take security into account. At the very least done do any boneheaded things.
These rules aren't only applicable to web apps. You sound like a scared bank employee that still thinking that 'only if this web thing catches on we'll create an internet banking site.'
Just remember, the only safe application is the one that doesn't do anything.
Security is as much about not doing the wrong thing as it is about doing the right thing. You don't need to be perfect, just don't do something stupid.
frangiplasticator on January 15, 2009 1:48 AMI concur with Mark on Jan 13, after 20 years of programming I would put among the horrors and dangers things like
1) Setting output enable before output register is in known state.
2) Not using volatile keyword on hardware registers
3) Insufficient headroom between buffer full and buffer high water mark.
4) Improper debounce of key inputs
5) badly scaled ticker interrupts
When you have 2Kbytes for code and less for RAM you start seeing a very different world.
Alex
AlexOD on January 15, 2009 5:45 AM#1 apply for general sofware development... the others are focused on web developmnet...maybe the post's title should be different.
Good post!
Rulas on January 15, 2009 10:56 AMTop 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work by Gary McGraw
http://www.informit.com/articles/article.aspx?p=1322398
Jakub Narbski on January 17, 2009 1:27 AMTo me Javascript should only be used for non-security related web apps. Use PHP for security measures and include tons of validation. The PHP reference I have says to never trust the user's imput. That's what I go by.
BM on January 17, 2009 2:54 AMYou can take care of cookies problem by using IP verification or encrypting cookies forcing them through encrypted channels.
BM on January 17, 2009 3:00 AMI've added this in my bookmarks! Very nice top 25! Must read for all young developers :)
Nicholas on January 19, 2009 10:32 AMOne of the worst mistakes a *manager* can do is to hire a sloppy developer who does not consider it his responsibility to write secure code. From my experience it's pretty much black and white. If the developer is bad from the beginning don't let him stick around, find a new one. Bad habits die hard.
Alex on April 28, 2009 12:33 PMtake care. in case more erros appear.
supra skytop on July 29, 2009 2:20 AMNice list, but it's mostly useless to me because I don't program web pages that need to be secure.
I think making the title specific, like 25 worst web security mistakes would have been better.
Jon on February 6, 2010 11:13 PMThis is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
| Content (c) 2009 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email
Posted by: |