Within the last few hours quite a buzz has been created by the release of the CWE/SANS Top 25 Most Dangerous Programming Errors list. USA Today posted an article on the list with an insert about The Importance of the Flaws List. Early today the BBC News posted Dangerous Coding Errors Revealed. Certainly the buzz will continue!
There is much to be said about security, and certainly the independent developer needs to be just as mindful of potential flaws as the corporate developer in a team environment. This list is for every developer to consider. I was amazed to find a couple of practices in the Top 25 that I have, at one time or another, been guilty of doing.
The list categorizes the top 25 into categories of “Insecure Interaction Between Components“, “Risky Resource Management” and my personal favorite, “Pourous Defenses“. The errors themselves are related to a “CWE”, or Common Weakness Enumeration which is described in detail on the CWE website. For example, one of the Top 25 in the “Pourous Defenses” category is identified as CWE-259 Hard Coded Password. Reviewing the entry regarding the CWE-259 I believe begins to reveal the significance and usefulness of this Top 25 list to ALL developers.
Personally, to be honest, I might not have paid much attention to it had it not been called to my attention by my son who has been involved in the project for months. I hope readers of this blog find the material useful themselves. Oh yes, it is estimated that some 85% of the criminal activity on the internet have resulted from these Top 25 “NOT best practices!” in coding.