The Most Dangerous Programming Errors

Just published by Sans.org is the list of 25 most dangerous programming errors. These were compiled by experts from more than 30 US and international cyber organizations so they relate to software that can be compromised and used to let an attacker take control of a PC. Two of these errors lead to more than 1.5 million security breaches during 2008.

I'm not going to publish the full list, just highlight some with relevance to C, C++ and C#.

1. Improper Input Validation. It sounds obvious but buffer overflows can be one way to attack. Instead of using strcpy for example use strcpy_s. Microsoft supports this but not everyone does. It adds an extra parameter describing the size of the destination buffer to stop overflows. Other alternatives includes strncpy and strlcpy.
2. Don't store passwords in plain text. I've often used a binary editor to view strings in an exe looking for interesting strings. Some programmers leave test passwords in (sloppy- should use debug conditional code for that). Other things might be connection strings which contain user/password. If you really must do that, there are various schemes such as rot-13 or xor that hide the data and are easy to decode at run-time. Or if its a really important task you could use a full crypto package.

Hopefully if you are writing important software, your best practices include checking for some of the listed errors. if not, maybe you should consider testing for them.

• Link to C Tutorials