Tuesday, 13 January 2009

SANS' top 25 errors

SANS' top 25 list of coding errors is chock-full of rudimentary mistakes. It should be required reading for second year students in CS, or second term students in IT/CS diploma programs. Now, there are a couple of things that a half-decent programmer might miss - exploiting unspecified encoding, race conditions in underlying code - but if you're passing sensitive data in plaintext, or not validating and parsing user-supplied data, or not sanitizing your *&^%# SQL, you need to be educated. And it'd be better to have that happen in class than on the job.

Bits of the article are amusing, too: "all your code are belong to them," indeed.

In short: people still make these kinds of mistakes? Needless and frightening. Your information online is not secure, and at this rate it never will be.

No comments: