19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

Posted on by Ben Rothke

19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them should be required reading for software developers. 

If George Santayana were to recommend a security book, it would certainly be 19 Deadly Sins of Software Security. Santayana is the poet-philosopher widely known for saying, "Those who cannot remember the past are condemned to repeat it." For far too long, software developers have been making the same mistakes in programming as if they were incapable of remembering their past errors. 

Poorly written software lies behind nearly every computer security vulnerability. Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, is quoted as saying that "95 percent of software bugs are caused by the same 19 programming flaws." These flaws are the so-called "deadly sins" of the title. 

The book covers these 19 programming flaws, which include the most devastating types of coding and architectural errors, such as buffer overflows, format string problems, cross-site scripting, and insufficient encryption. Each flaw gets its own chapter, which features a brief introduction to the problem, sample code depicting each "sin," ways to detect the problem during code review, a description of tools and techniques to test for the defect, and defensive measures that make it more difficult for someone to exploit the weakness. 

None of the text is extraneous, as it economically addresses a wealth of the most popular platforms and languages. These include Windows, Linux, UNIX, C/C++, C#, Java, PERL, and more. 

Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading. Were he a techie, Santayana might have said that those who have written insecure code in the past are condemned to continue to write insecure code in the future. Programmers need only read this book to help put an end to that vicious cycle.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs