CWE/SANS TOP 25 Most Dangerous Programming Errors has been published on January 12, 2009 and i think it is an interesting must read for almost any programmer,hacker,project manager,director,etc… out there. Although all of the stuff presented in the consensus has been known for years, little has been done to create a standard,a paper or something tangible and with support from important organization/companies or perhaps even legal,something that you can relate to,until now.Very important to read it is the “How Will the Top 25 Errors Be Used?”(snipet bellow) paragraph which will present you some of the possible use-cases of such a consensus,especially if you are already familiar with what’s inside the technical part of the consensus.If not then please go on and read the stuff in there and research it until you get the point and start thinking of better ways to design and write your code,secure design and code i mean…

exploits_of_a_mom

just to make the world a safer place! was not that convincing right? 🙁

How Will the Top 25 Errors Be Used?

The Top 25 Errors will have four major impacts:

  • Software buyers will be able to buy much safer software.
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code

CWE/SANS TOP 25 Most Dangerous Programming Errors

LE: http://gcn.com/articles/2009/01/19/list-creates-software-security-squabble.aspx

Well as you  can see assholes can find a reason to argue about everything.Nothing new! I actually accept the list as it is.It is way better than nothing for me,but this doesn’t seem to apply to morons suffering from the reject and “nothing pleases me” syndromes who would have prefered the top 1000 most dangerous programming errors.Don’t forget to click on *next 200*.

Polycode, an amazing piece of art!

As stated in the title i have truly came over an amazing piece of art:

http://mauke.ath.cx/stuff/poly.html

Hit view source on that and stare at pretty strange,at the first look,source code. Well that source, my friends,is neither html,c,python or perl it is all of them,plus some more.The above linked source code compiles/interprets and runs under all of this languages: html+js,c/c++,python,perl,ruby,bash,sh,zsh,haskell,makefile,tcl and brainfuck.

I’ve tested the source on all of them just to make sure that it isn’t a joch and it isn’t! even if we count haskell which in my case it didn’t interpret(i used hugs but it didn’t work for some reason and i didn’t insist). Here is some proof output for the unbelievers:

shinnok@donkey:/tmp$ wget http://mauke.ath.cx/stuff/poly.html
–2009-01-21 18:26:11– http://mauke.ath.cx/stuff/poly.html
Resolving mauke.ath.cx… 91.67.1.238
Connecting to mauke.ath.cx|91.67.1.238|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2376 (2.3K) [text/html]
Saving to: `poly.html’

100%[======================================>] 2,376 –.-K/s in
0.001s

2009-01-21 18:26:12 (2.21 MB/s) – `poly.html’ saved [2376/2376]

shinnok@donkey:/tmp$ python poly.html
I’m a Python program.
shinnok@donkey:/tmp$ perl poly.html
I’m a Perl program.
shinnok@donkey:/tmp$ ruby poly.html
I’m a Ruby program.
shinnok@donkey:/tmp$ cp poly.html poly.c
shinnok@donkey:/tmp$ gcc -o poly poly.c
poly.c:37:20: warning: trigraph ??! ignored, use -trigraphs to enable
shinnok@donkey:/tmp$ ./poly
I’m a C program (C89 with // comments, trigraphs disabled).
shinnok@donkey:/tmp$ cp poly.html Makefile
shinnok@donkey:/tmp$ make
I’m a Makefile.
shinnok@donkey:/tmp$ beef poly.html
I’m a brainfuck program.
shinnok@donkey:/tmp$ tclsh poly.html
I’m a tcl script.
shinnok@donkey:/tmp$ sh poly.html
I’m a bash script.
shinnok@donkey:/tmp$ zsh poly.html
I’m a zsh script.
shinnok@donkey:/tmp$ bash poly.html
I’m a bash script.

I find it amazing the way the writer of that piece of poly-code managed to use various syntactic and lexical as well as operators and language specific tricks in order to get that same piece of code to compile/interpret and run on all of those languages.

Tagged with: