The Mitre Corp has produced the 2010 CWE / SANS Top 25 Most Dangerous Programming Errors which identifies the most commonly encountered coding errors that can potentially lead to web sites being hacked or PCs being compromised. Some of the errors are well-publicised in the technical press, e.g. “cross-site scripting”; some are downright stupid, e.g. “use of hard-coded credentials” and others are the results of carelessness, e.g. “improper validation of array index”.
However, what makes this document better than the usual Top-X lists is that it provides guidance to programmers on how to prevent or mitigate the errors. For example, to avoid cross-site scripting it suggests, “Use languages, libraries or frameworks that make it easier to generate properly encoded output. Examples include Microsoft’s Anti-XSS library, the OWASP ESAPI encoding module and Apache Wicket“. There’s additional information for the technically-minded that goes through the different stages of software development starting with initial design, through to compilation, implementation and testing.
One of the best pieces of advice is in the discussion around checking for unusual or exceptional conditions, “Murphy’s Law says that anything that can go wrong, will go wrong. Yet it’s human nature to always believe that bad things could never happen, at least not to you. Security-wise, it pays to be cynical. If you always expect the worst, then you’ll be better prepared for attackers who seek to inflict their worst. By definition, they’re trying to use your software in ways you don’t want.”
So, if you are into web programming in any way, this has to be mandatory reading to keep the bad guys at bay. Even if you are not, the discussion elements for each of the errors is illuminating in showing exactly what is going wrong and why it’s bad. Just skip over the technical bits in between.