Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
The US National Security Agency has helped put together a list of the world's most dangerous coding mistakes.
The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.
Experts say many of these errors are not well understood by programmers.
Top 25 Coding Errors [sans.org]
Bookmark that one! :-)
EDIT: Argh . . it's timing out now, maybe it's getting slashdotted . . . . or . . . their report has drawn too much attention from the "ankle biters" mentioned in the first article . . . .
Likely more true than we accept.
We love to hate agencies, such as the NSA, but what other agency or enterprise is taking the lead in challenging or taking down botnets?
Microsoft? The likely "botnet mother"? ICANN? Ya, sure, the mother of unlimited gTLDs, etc.
Really, when it comes to protecting the Web that we love from serious harm via attackers or botnets, who is in charge here?
Probably the answer is "us" - everyone of us - who has ever failed to secure a server or website, probably due to others handing us the keys to the car without confirming whether we have taken driving (security) lessons. And who's in charge of hosting firms, to be certain their servers are hardened against exploitation? And who is in charge of the server software and PC software providers to be certain their software is hardened? Can't wait to see what happens when everyone's cellphone->all-in-1-device starts to automatically dial up the Whitehouse or NSA . .
So, now the great mystery agency - the NSA - the agency with al the bad publicity or bad "we're spying on you" image, is going to take the lead in guiding the world in how to make the world more safe?
Well . . Geesh! It's the National Security Agency to the rescue?
It's about time some agency or enterprise took the lead. Shame it has to be one with image and other historical problems that may undermine any "trust us" campaign.
I just found + fixed a "race condition" (CWE-362) yesterday, and it was an obscure oversight in code I wrote only 6 months ago. For any programmer who does their own QA and penetration testing, this is a pretty good checklist to look at before deploying to production.