As a developer, you need to remember that a computer is stupid. It does execute the code exactly like humans wrote it.
If a human tells your computer to jump out of a bridge in some conditions, it will. If you forgot to add a lock on the front door, it won’t add any for you.
**I forgot:**
(Or didn’t have time, the usual “we will do it later” (never))
As a developer we are pressured to go fast as well. We may forget to add some features. It was 17:00 when I was going to add the lock and the next day I forgot about it. Or it was 9:00 then all the damn meeting started and it is now 17:00…
We made a lot of features as well because everyone wants money (not even talking about other conditions that may come with). So we probably made that lock. So we may half build the lock when it was 17:00 and yet again forget the next day to finish it but we installed it.
**I’m not smart enough:**
Maybe we thought we could make a secure lock. Turn out you can open it with a flat screw! (Security is one field you shouldn’t try to do it yourself)
**That damn edge case**
Making a software not crashing (or not behave weird) is like doing a maze… Except for a full page with the width size a hair and where each wrong turn (not dead end!) is a bug/crash.
So I could work full time for weeks just by handling errors, edge cases or wired behavior just for a feature that is asking you to enter 2 numbers.
So, we won’t support every case. Usually that won’t cause security issue here, but that also means some part of the code could have been not tested a lot…
So we can make assumptions on things. If the user enter letter I will let the software crash since the client has only a number keypad. (Until I get screwed and he is plugging a full keyboard)
**Never trust user values**
That one… Oh Fu… Hell Fu…
That can also include software saved value sometimes.
This is one big issue with security that can cause big security issues down from the processor running unauthorized code to you withdrawing money without nobody knowing.
See it like a form with a blank spot to fill up. Someone will fill the form (you, directly or indirectly) and someone will do whatever the form says (the software).
Unfortunately, a lot of the time, programmers cheap out on that one and don’t use the full capability of the form. What does it mean?
Let said the form is: “allow the user ____ to access his own account if the password to the account matches _____”.
Then the user fills the first field with “Administrator”, but the second field with: “blablabla or if the password doesn’t match”.
The software will then read it as: allow the user Administrator to access his own account if the password to the account match blablabla or if the password doesn’t match.
So… Now you are logged into the Administrator account…
Sometimes it is a little more complex than that for technical reasons. But it is the same idea.
Funny thing, that AI revolution work exactly like that. Except, there is not quite a feature to flag user value (the blank in the form) vs the other instructions.
Latest Answers