The Top 25 Ways To Ruin A Program

[The_root_of_all_evil]

The Top 25 Ways To Ruin A Program

The NSA (National Security Agency) has put together 25 of the world's most dangerous coding mistakes.

The list, which appears not to be understood by a number of programmers, highlights the errors which can lead to vulnerabilities in a computer code.

Just two of them, according to the SANS Institute [http://www.sans.org/], led to over 1.5m web site security breaches during 2008.

"This list is primarily for people who have first responsibility for designing a system. Veteran programmers have probably learnt the hard way whereas a brand new programmer will be making more basic errors.", said Patrick Lincoln, director of the Computer Science Laboratory at SRI International.

"The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle-biters if you will - would be deterred from breaking in," he said.

The list in full, (hands up if you know what half of these mean):
CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494ownload of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security

So, next time you want to have a pop at Steam, PSN or X-Box Live, have a thought about how many error numbers they've already had to sift through.

Source BBC [http://news.bbc.co.uk/1/hi/technology/7824939.stm]
(Image) [http://www.flickr.com/photos/jmarty/1804061993/]

Permalink

 

[black lincon]

You know whats odd, I saw that blue screen 20 minutes ago, now I'm scared to death it will happen again. In reality this computer is 6 years old and really needs to be gotten rid of, maybe its a blessing in disguise.

 

[Fightgarr]

They forgot the crippling issue of rampaging cyberspace trolls. Those are a bigger problem.

 

[Ronmarru]

Which one of these makes me break the law and perform illegal operations? That seems to be my number one problem.

 

[tijuanatim]

I don't speak gobelty-gook. Is there a way to translate this page to English?

 

[Mrsoupcup]

My computer broke when I was online, do hackers jurk of to fucking up people computers?

 

[Widdershins]

This news article doesn't have anything to do with bluescreens specifically. It has to do with vulnerabilities in software that can be abused to take control of the system and gain information from the outside without authorization (hacked).

These are all errors of a different sort: they're not errors that throw up a warning and make the program stop working, they're errors in the DESIGN of the system itself that expose it to outside attacks. These attacks might be designed to make the machine crash, but usually they are trying to get in and out silently and steal as much valuable information as possible.

If a computer bluescreens while someone is hacking it, then the hacker just failed, because they have to start all over trying to get into it.

All of these things make sense to me. That's because I'm a programmer, and I know what they're talking about. "A number of programmers" are inexperienced and will naturally not know what's being referred to here.

I was expecting more people here to know these things.

 

[Dommyboy]

BSOD aren't scary. RSOD, now that's a big problem.

 

[Conqueror Kenny]

I understood a whole 3 of those! I can has computer programmer job?

 

[ExplosionProofTaco]

NO COMPRENDE SENOR PARFAVOR!

 

[The_root_of_all_evil]

This news article doesn't have anything to do with bluescreens specifically. It has to do with vulnerabilities in software that can be abused to take control of the system and gain information from the outside without authorization (hacked).

All true, but you try finding a picture of one of the other errors.

 

[Calobi]

I don't speak gobelty-gook. Is there a way to translate this page to English?

Dear newish programmers and lead programmers:
If you make a mistake listed below, fecal matter will hit the fan eventually. Don't do it.
Sincerely,
NSA

If you're asking what these errors all are, they're ways people can, with a little time, get into your private information or generally make the programmers and developers days miserable and painful.

Edit: Okay, the top part of that is supposed to be in letter format (tabs and spaces are not right in the post). Just imagine it that way. That will be all.

 

[LewsTherin]

BSOD aren't scary. RSOD, now that's a big problem.

DO NOT SPEAK ITS NAME.

Tremble in Fear

 

[cobra_ky]

CWE-330:Use of Insufficiently Random Values

this one's my favorite. i was looking for buffer overflows though

 

[bkd69]

CWE-330:Use of Insufficiently Random Values

this one's my favorite. i was looking for buffer overflows though

*ahem*
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer

But now I must go hide, for The Escapist has now exposed all my secret shame to the website .

 

[cobra_ky]

CWE-330:Use of Insufficiently Random Values

this one's my favorite. i was looking for buffer overflows though

*ahem*
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer

But now I must go hide, for The Escapist has now exposed all my secret shame to the website .

I SAID I WAS LOOKING OK

i just didn't find it ;_;