Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 25 Most Dangerous Programming Errors

Posted by samzenpus on from the spilling-your-soda dept.

Hugh Pickens writes "The Register reports that experts from some 30 organizations worldwide have compiled 2010's list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications. The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users. The top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010. Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques. 'As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,' the introduction to the list states and includes a draft contract with the terms customers should request to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered."

17 of 534 comments (clear)

  1. Yeah, right. by Anonymous Coward · · Score: 5, Insightful

    I'll sign such a contract, but the project will take twice as long and my hourly rate will go up 300%.

    People like to draw the comparison with civil engineering, where an engineer may be liable (even criminally) if, say, a bridge collapsed. But this isn't really the same thing. We're not talking about software that simply fails and causes damage. We're talking about software that fails when people deliberately attack it. This would be like holding a civil engineer responsible when a terrorist blows up a bridge -- he should have planned for a bomb being placed in just such-and-such location and made the bridge more resistant to attack.

    The fault lies with two parties -- those who wrote the insecure code, and those who are attacking it. I'll start taking responsibility for my own software failures when the justice system starts tracking down these criminals and prosecuting them. Until then, I'll be damned if you're going to lay all the blame on me.

    1. Re:Yeah, right. by timmarhy · · Score: 5, Insightful
      Not only will it take twice as long and cost 3 times as much, but i'd also reserve the right to deny the customer any features i deemed unsafe.

      I could lock down any system and make 100% hacker proof - i'd unplug their server.

      it's a ratio of risk to reward like most things, if you want zero risk there won't be any reward.

      --
      If you mod me down, I will become more powerful than you can imagine....
    2. Re:Yeah, right. by rolfwind · · Score: 5, Insightful

      People like to draw the comparison with civil engineering, where an engineer may be liable (even criminally) if, say, a bridge collapsed. But this isn't really the same thing. We're not talking about software that simply fails and causes damage. We're talking about software that fails when people deliberately attack it. This would be like holding a civil engineer responsible when a terrorist blows up a bridge -- he should have planned for a bomb being placed in just such-and-such location and made the bridge more resistant to attack.

      Not only that, but civil/mechanical/other engineers usually know exactly what they are dealing with - a Civil engineer may specify the type of concrete used, car engineer may specify the alloy of steel.

      Most of the time, software engineers don't have that luxury. Video Game consoles (and still are, mostly) used to be nice that way and it was the reason they had fewer problems than PCs.

      Tell a bridge engineer that he has no absolutely control over the hardware he has to work with and that it may have a billion variations, and see if he signs his name to it.

    3. Re:Yeah, right. by fuzzyfuzzyfungus · · Score: 5, Insightful

      Worse, in addition to being management blame-storming(and hardly novel, at that). It is quite arguably a member of a very old and inglorious school of argument, the one that asserts that people are fully rational agents, who will perform properly if suitably threatened. Sure, Mr. "Eh, I'd rather masturbate and play Halo than check for bugs in the software I was paid to write" could probably do with a kick in the ass; but the main threat is simple honest mistakes, which humans make with some frequency, depending on their constitution and surrounding conditions.

      Anybody who honestly thinks that scary looking contracts are going to keep the engineers in line should read up on the sorts of things that happen in workplaces with real hazards: heavy machinery, toxic materials(and not the chickenshit "recognized by the state of california to cause reproductive harm" type, the "Schedule 2, Part A, per CWC" type), molten metal, exposed high voltages, and the like. Even when their lives are on the line, when the potential for imminent gruesome death is visible to even the least imaginative, people fuck up from time to time. They slip, they make the wrong motion, they get momentarily confused, some instinct that was real useful back when lions were the primary occupational hazard kicks in and the adrenalin shuts down their frontal lobe. Happens all the time, even in countries with some degree of industrial hygiene regulation.

    4. Re:Yeah, right. by cgenman · · Score: 5, Insightful

      Let's see. The top programming errors are:
      Let people inject code into your website through cross site scripting.
      Let people inject code into your database by improperly sanitizing your inputs.
      Let people run code by not checking buffer sizes.
      Granting more access than necessary.
      Granting access through unreliable methods.

      Geez, #7 is fricking directory traversal. DIRECTORY TRAVERSAL. In 2010! It's not like your drawbridge is getting nuked by terrorists here. Generally bridges are built to withstand certain calamaties, like small bombs, fires, hurricanes, earthquakes, etc. Being successfully assaulted through a directory traversal attack is like someone breaking into the drawbridge control room because you didn't install locks on the doors and left it open in the middle of the night. Why not leave out cookies and milk for the terrorists with a nice note saying "please don't kill us all [smiley face]" and consider that valid security for a major public-facing application.

      Further down the list: Failing to encrypt sensitive data. Array index validation. Open redirects. Etc, etc, etc. These aren't super sophisticated attacks and preventative measures we're talking about here. Letting people upload and run PHP scripts! If you fall for THAT one, that's like a bridge that falls because some drunk highschooler hits it with a broken beer bottle. Forget contractual financial reprisals. If your code falls for that, the biggest reprisal should be an overwhelming sense of shame at the absolute swill that you've stunk out.

      And yes, security takes longer than doing it improperly. It always does, and that has to be taken seriously. And it is still cheaper than cleaning up the costs of exposing your customer's banking information to hackers, or your research to competitors in China. Stop whining, man up, and take your shit seriously.

      --
      The ______ Agenda
    5. Re:Yeah, right. by digitalchinky · · Score: 5, Insightful

      How many clients have you ever met that actually ~know~ what they want? :-)

    6. Re:Yeah, right. by ScrewMaster · · Score: 5, Insightful

      y drafting contracts that hold developers responsible when bugs creep into applications.

      Arguably the stupidest thing I've ever heard, and I'm old enough to have heard a lot of stupid shit.

      Anybody who honestly thinks that scary looking contracts are going to keep the engineers in line

      Is a moron who would have been a candidate for early-term abortion if we could only predict such things. The reality here is this: if you try to put engineers (especially software engineers) into a situation where every line of code they produce might put them in court, you're going to find yourself with a severe shortage of engineers. There are many things that creative minds can do, and if you make a particular line of work too personally dangerous nobody will enter that field.

      More to the point however, only completely drain-bamaged organizations actually ship alpha code, which is obviously what we are talking about in this case. Because if we're not, if we're discussing production code that was overseen by competent management, conceived by competent designers, coded by competent software engineers and tested by competent QC engineers (you do have those, don't you?) then blaming the programmer alone is absolutely batshit insane, and will serve no legitimate purpose whatsoever.

      Modern software development, much like the production of a motion picture, is a complex team effort, and singling out one sub-group of such an organization for punishment when failures occur (as it happens, the ones least responsible for such failures in shipping code) is just this side of brain-dead.

      And I mean that about the programmers being the least responsible. Unless management has no functioning cerebral cortex material, they will understand and plan for bugs. You expect them, and you deal with them as part of your quality control process. Major failures can most frequently be attributed to a defective design and design review process: that sort of high-level work that happens long before a single developer writes one line of code. The reason that engineers who build bridges are not put in jail when a bridge fails and kills someone is because there are layers and layers and layers of review and error-checking that goes on before a design is approved for construction. It's no different in a well-run software team.

      If your team is not well run, you have a management failure, not a programmer problem.

      I had stupid people, I really do. And people that propose to punish programmers for bugs are fundamentally stupid.

      --
      The higher the technology, the sharper that two-edged sword.
    7. Re:Yeah, right. by fractoid · · Score: 5, Interesting

      Even a car with no locks shouldn't be responsible, you bought the car knowing full well there was no locks, if you want cars with locks, pressure those who make cars and take your business to one with locks.

      Exactly. At a previous job I was in charge of maintaining a system for tracking clients' assets. By which I mean realtime GPS coordinates and telemetry of big frikkin trucks full of DVD players or plasma screens or whatever. Information which would actually be very dangerous Fast-and-the-Furious style if it were accessible by the wrong people. When I inherited this system I went to my manager and went "this could be cracked in about a hundred different ways simply by changing some numbers in the URL" and they said "why would anyone do that?" Later, the internal client who owned the data asked about security and I just said "it would basically need a rewrite, it has enough trouble not showing users each others' data let alone standing up to a deliberate attack" and so they swept it under the rug. I could probably still log on to one of their accounts today and find out where the truckload of free plasma screens was, if I was a bad person.

      --
      Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
    8. Re:Yeah, right. by YourExperiment · · Score: 5, Funny

      Your ideas are intriguing to me and I wish to subscribe to your pr0n scraper.

    9. Re:Yeah, right. by fuzzyfuzzyfungus · · Score: 5, Insightful

      The problem is not accountability, accountability is perfectly fine. The problem is incorrect application of accountability, and overbroad belief in its effectiveness.

      For "accountability" to be properly applied, it must always be connected to power. The relationship goes both ways. Nobody with power should ever lack accountability, lest their power degenerate into mere tyranny, and nobody with accountability should ever lack power, lest they merely be made the scapegoat. This is the real problem with the false "accountability" commonly found in organizational contexts:

      If, for example, you have a "release engineer" who must sign off on a software product, or a team of mechanics that must get a 747 ready for passenger flight, those people must have the power to halt the release, or the flight, if they believe that there is a problem. If they do no have this power, they aren't actually "accountable" they are merely scapegoats, and the one who does have this power is truly accountable; but is dodging accountability by assigning it to subordinates. The trouble is, in real world situations, being the person proximately responsible for expensive delays is, at best, thankless. Unless the organization as a whole is invested in the importance of that role, the person filling it will be seen as an obstruction. Obstructions have a way of being circumvented. Assigning blame under those circumstances is actually the opposite of accountability; because punishing the person who didn't make the decision will mean letting the person who did off the hook(in the same way that falsely convicting the innocent isn't "tough on crime" because it implies releasing the guilty). The second issue is the belief that being made accountable will make humans behave fully responsibly. This isn't the abusive mess that the first issue is; but it is contrafactual and tends to distract attention away from the more valuable task of building systems that are (at least somewhat) resistant to human error. Even when accountability is correctly apportioned to power, humans are imperfect instruments. If you want to build systems of complexity unprecedented in human evolutionary history, you will have to learn to build systems that are tolerant of some amount of error. Checklists, automated interlocks, automated fuzz testing, etc, etc. must all be employed; because, ultimately, "accountability" and punishment, while they have their virtues, cannot remediate failure. Executing murderers doesn't resurrect their victims. Suing programmers doesn't recover data stolen in some hack attack. There isn't anything wrong with punishing the guilty; but its utility in accomplishing people's actual objectives is surprisingly tepid. People don't want to sue programmers, they want high-quality software. People don't want to fire mechanics, they want planes that don't crash. People don't want to incarcerate criminals, they want to be free of crime. "Accountability" is one tool that can be used to build the systems that people actually want(and there are arguments to be made that it is ethically obligatory in any case); but single minded focus on it will not achieve the ultimate objectives that people are actually seeking.

  2. Errors, Schmerrors by empesey · · Score: 5, Funny

    A real programmer can do all 25 in one line of code.

    1. Re:Errors, Schmerrors by Anonymous Coward · · Score: 5, Funny

      #include "win32.h" /* :p */

  3. Just Show Me the List!! by QuantumG · · Score: 5, Informative

    So much shit. So much commentary. Just gimme the list? Here it is:

    1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
    2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
    3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    4. Cross-Site Request Forgery (CSRF)
    5. Improper Access Control (Authorization)
    6. Reliance on Untrusted Inputs in a Security Decision
    7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    8. Unrestricted Upload of File with Dangerous Type
    9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
    10. Missing Encryption of Sensitive Data
    11. Use of Hard-coded Credentials
    12. Buffer Access with Incorrect Length Value
    13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
    14. Improper Validation of Array Index
    15. Improper Check for Unusual or Exceptional Conditions
    16. Information Exposure Through an Error Message
    17. Integer Overflow or Wraparound
    18. Incorrect Calculation of Buffer Size
    19. Missing Authentication for Critical Function
    20. Download of Code Without Integrity Check
    21. Incorrect Permission Assignment for Critical Resource
    22. Allocation of Resources Without Limits or Throttling
    23. URL Redirection to Untrusted Site ('Open Redirect')
    24. Use of a Broken or Risky Cryptographic Algorithm
    25. Race Condition
    --
    How we know is more important than what we know.
  4. re:zero risk by Tumbleweed · · Score: 5, Insightful

    "Insisting on absolute safety is for people who don't have the balls to live in the real world."
    - Mary Shafer, NASA Dryden Flight Research Center

  5. What it's like to do software like that by Animats · · Score: 5, Interesting

    Been there, done that, in an aerospace company. Here's what it's like.

    First, the security clearance. There's the background check before hiring, which doesn't mean much. Then, there's the real background check. The one where the FBI visits your neighbors. The one where, one day, you're sent to an unmarked office in an anonymous building for a lie detector test.

    Programming is waterfall model. There are requirements documents, and, especially, there are interface documents. In the aerospace world, interface documents define the interface. If a part doesn't conform to the interface document, the part is broken, not the document. The part gets fixed, not the documentation. (This is why you can take a Rolls Royce engine off a 747, put on a GE engine, and go fly.)

    Memory-safe languages are preferred. The Air Force used to use Jovial. Ada is still widely used in flight software. Key telephony software uses Erlang.

    Changes require change orders, and are billable to the customer as additional work. Code changes are tied back to change orders, just like drawing changes on metal parts.

    In some security applications, the customer (usually a 3-letter agency) has their own "tiger teams" who attack the software. Failure is expensive for the contractor. NSA once had the policy that two successive failures meant vendor disqualification. (Sadly, they had to lighten up, except for some very critical systems.)

    So that's what it's like to do it right.

    A real problem today is that we need a few rock-solid components built to those standards. DNS servers and Border Gateway Protocol nodes would be a good example. They perform a well-defined security-critical function that doesn't change much. Somebody should be selling one that meets high security standards (EAL-6, at least.) It should be running on an EAL-6 operating system, like Green Hills Integrity.

    We're not seeing those trusted boxes.

  6. The most dangerous C programming error by sigma · · Score: 5, Funny

    if (alert_code = red)
       launch_missles ();

  7. Re:zero risk by Pharmboy · · Score: 5, Funny

    is it me or is americans in love with absolutes?

    You are 100% correct. Anything less would be un-American.

    --
    Tequila: It's not just for breakfast anymore!