Heh. Got you reading, didn't I?
The point of this blog post is short and sweet. Yesterday SANS released their list of the Top 25 Vulnerability Coding Errors (emphasis mine). Sadly, finding that to be too long for a snappy title, they got rid of that superfluous word "Vulnerability" and titled it Top 25 Most Dangerous Programming Errors. These geniuses were blindly followed by journalists, bloggers and twit-heads who chimed in on this entrancing topic. Some of these blind followers are, sadly, people I respect.
One word: FAIL.
These are great, the list has been a long time in coming, developers should pay attention to it. But if you built a list of the top 25 coding errors, it wouldn't include many of these.
"OMG!" shouts the security twit, "don't you care about security?"
Of course I do, but let's talk just a wee bit of honesty here... Security is not job number one in software development. it never has been.Security is something we add to our development processes because we must, but we wouldn't need it at all if we didn't have a need for the application that we viewed as so important we would develop it and secure it. So job one in software development is making a working app that performs as expected. There's plenty of room for errors in that alone, without touching on security.
"What could possibly be worse than a security vulnerability that risks exposure of sensitive data?!" shouts the Security twit.
Uhhmmm... Lots of things? Any coding error that makes the app downright unusable would likely get caught in testing, but that still leaves intermittent memory leaks that cause the customer to call IT Support and say "can you reboot the server again?" every few days because customers aren't getting through - nothing fills Operations/Support with more (justified) righteous anger. How about the Java app that overloads the JVM and when garbage collection time comes it completely stops responding? Or any of a zillion other errors from wild pointers to log hogs that obviate security because you don't need to protect user data if you have no users.
So please, do us all a favor, make certain you're clear - this isn't the worst programming errors, this is the worst vulnerability programming errors (and calling some of them errors is a stretch- worst practice would be more accurate).
And that doesn't even touch on the sensationalist claims of a brave new world in the document... One thing the last 20 years has proven, writing this document makes it out of date, for hackers don't sit on their hands and cry when the way is blocked, they look for another entrance. Still, a very useful list, just not the thing that will save the world, and they should have toned it down and pointed out it would always be an evolving list.