Pencils Down

Great article on highly voted programming errors – includes examples, workarounds, attacks.  Article is at http://cwe.mitre.org/top25/

 The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.  (click on link above for more)

I work at a large defense contractor.  There are two levels of shareware licensing that need to be addressed for any product that is used:

1) Will the product be used in the field, in a production environment?

2) Will the product be used on the corporate LAN?

Any new product has to go through a rigorous review by legal staff to review the exact license involved in a product.  They are looking for the clause that says “We own your company after 12 days of use”.  Surprisingly, there are some open licenses that have such clauses.  Pretty gutsy – just count on coders not actually reading the legaleeze.

Use on the LAN means the product must also be reviewed for security breaches.  While a defense contractor has real security levels that conform to government standards, I think this is a reasonable test for any corporate tool.  Again, some products fail the security test by either including silliness (such as Google toolbar poking back at google.com on a regular basis) or outright virus/spam.

Use in production means the software will reside on a defense product in the field.  Whole new levels of pain to evaluate the product for holes.  Not surprisingly, there is a lot of Not Invented Here coding that goes on just to avoid such a review.