1-Incomplete Input Validation–

• Example: Accepting user input without proper validation, leading to SQL injection.
• Consequence: Compromised database security, potential data loss, and unauthorized access.

Bad Way (PYTHON):

user_input = input("Enter your username: ")
# No validation, allowing SQL injection
query = "SELECT * FROM users WHERE username = '" + user_input + "';"

Directly passing user input in database query statements is not recommended and very dangerous.

Good Way (PYTHON):

import sqlite3

user_input = input("Enter your username: ")
# Use parameterized queries to prevent SQL injection
query = "SELECT * FROM users WHERE username = ?;"
cursor.execute(query, (user_input,))

Above user input has been parameterized and it is safe to pass to database query statements.

Real Incident & Consequence – [Reference – Equifax Data Breach]

• Incident: In 2017, the Equifax data breach occurred due to incomplete input validation in a web application, allowing attackers to execute a SQL injection attack.
• Consequence: Personal information of 147 million individuals was exposed, leading to identity theft concerns.
• Loss Amount: Estimated at hundreds of millions in damages and settlements.

2-Not Handling Exceptions Appropriately–

• Example: Lack of proper error handling, causing application crashes without informative error messages.
• Consequence: Difficult debugging, user frustration, and potential security risks.

Bad Way (PYTHON):

try:
    result = divide(a, b)
except:
    # No specific exception handling
    print("An error occurred.")

Above code error is not being handle properly and suppressed.

Good Way (PYTHON):

try:
    result = divide(a, b)
except ZeroDivisionError as e:
    print(f"Error: {e}")
except Exception as e:
    print(f"Unexpected error: {e}")

Above code error is being handle properly and not suppressed.

Real Incident & Consequence – [Reference: Knight Capital Group’s $440 million loss]

• Incident: In 2012, Knight Capital Group lost $440 million in 45 minutes due to a software glitch that resulted from not handling exceptions properly.
• Consequence: The company faced financial ruin and had to be acquired to prevent further losses.
• Loss Amount: $440 million losses in 45 minutes.

3-Ignoring Memory Management–

• Example: Memory leaks due to not releasing allocated resources.
• Consequence: Gradual degradation of system performance, increased resource usage, and possible application crashes.

Bad Way (C):

int* array = (int*)malloc(sizeof(int) * 1000);
// No free() to release allocated memory

Good Way (C):

int* array = (int*)malloc(sizeof(int) * 1000);
// Proper memory deallocation
free(array);

Real Incident & Consequence – [Reference: Ariane 5 Flight 501]

• Incident: The Ariane 5 rocket failure in 1996 resulted from a software bug due to ignoring memory management, causing a critical system failure.
• Consequence: The rocket exploded, leading to a loss of approximately $370 million.
• Loss Amount: Approximately $370 million for the rocket and payload.

4-Hardcoding Sensitive Information–

• Example: Embedding passwords or API keys directly into the code.
• Consequence: Security vulnerabilities, unauthorized access, and potential data breaches.

Bad Way (PYTHON):

db_connection = connect(username='admin', password='secretpassword')

Good Way (PYTHON):

# Use environment variables or a secure configuration file
db_connection = connect(username=get_env_variable('DB_USER'), password=get_env_variable('DB_PASSWORD'))

Real Incident & Consequence – [Reference: Heartbleed Bug]

• Incident: In 2014, the Heartbleed bug exploited a coding mistake by hardcoding sensitive information in the OpenSSL library, exposing private keys and passwords.
• Consequence: Widespread security vulnerabilities across websites, requiring extensive patching and password resets.
• Loss Amount: Indirect losses due to widespread security vulnerabilities.

5-Ignoring Cross-Site Scripting (XSS) Vulnerabilities–

• Example: Allowing user-generated content without proper sanitization.
• Consequence: Malicious script injection, compromising user data and system integrity.

Bad Way (HTML):

<p>User input: <%= user_input %></p>

Good Way (HTML):

<p>User input: <%= sanitize(user_input) %></p>

Real Incident & Consequence – [Reference: Wikipedia – Samy (computer worm)]

• Incident: The MySpace worm in 2005 spread via XSS vulnerabilities, impacting millions of user profiles.
• Consequence: Disruption of MySpace services and potential exposure of personal information.
• Loss Amount: Disruption of MySpace services; specific monetary loss not well-documented.

6-Poorly Managed Concurrency–

• Example: Inadequate synchronization in multi-threaded applications.
• Consequence: Race conditions, data corruption, and unpredictable behavior.

Bad Way (JAVA):

// Inadequate synchronization
public synchronized void incrementCounter() {
    counter++;
}

Good Way (JAVA):

// Use explicit locks for proper synchronization
private final Object lock = new Object();

public void incrementCounter() {
    synchronized (lock) {
        counter++;
    }
}

Real Incident & Consequence – [Reference: Therac-25]

• Incident: The Therac-25 radiation therapy machine accidents in the 1980s resulted from inadequate synchronization, causing lethal radiation overdoses.
• Consequence: Multiple patient injuries and deaths due to radiation exposure.
• Loss Amount: Indirect losses due to legal actions and damaged reputation.

7-Not Regularly Backing Up Code–

• Example: Lack of version control and backups.
• Consequence: Loss of code during system failures, making recovery difficult or impossible.
• Bad: No version control system in place.
• Good: Use Git, SVN, or another version control system for regular backups.

Real Incident & Consequence – [GitLab Data Deletion]

8-Ignoring Scalability Concerns–

• Example: Developing a system without considering future growth.
• Consequence: Performance issues, downtime, and the need for costly rearchitecting.
• Bad: Hardcoding database connections without considering connection pooling.
• Good: Implement connection pooling for efficient database connections.

Real Incident & Consequence – [Reference: Healthcare.gov launch issues]

• Incident: In 2013, the Healthcare.gov website faced scalability issues during its launch due to insufficient infrastructure planning.
• Consequence: Site crashes, long loading times, and public frustration with the Affordable Care Act rollout.
• Loss Amount: Indirect losses due to site crashes, long loading times, and public frustration.

9-Inefficient Algorithm Selection–

• Example: Choosing a suboptimal sorting algorithm for large datasets.
• Consequence: Slow processing times, reduced efficiency, and poor user experience.

Bad Way :

# Inefficient sorting for large datasets
sorted_data = bubble_sort(large_dataset)

Good Way :

# Use a more efficient sorting algorithm
sorted_data = quick_sort(large_dataset)

Real Incident & Consequence – [Reference: 2010 Flash Crash]

• Incident: In 2010, the “Flash Crash” occurred in financial markets due to high-frequency trading algorithms that lacked efficient error handling.
• Consequence: Sharp and sudden stock market drop, causing financial instability.
• Loss Amount: Indirect losses due to the sudden and sharp stock market drop.

10-Neglecting Code Reviews–

• Example: Skipping peer code reviews or not providing constructive feedback.
• Consequence: Increased likelihood of undetected bugs decreased code quality, and longer-term maintenance challenges.
• Bad Way: No code reviews conducted.
• Good Way: Regularly conduct code reviews with peers, providing constructive feedback for improvement.

Real Incident & Consequence – [Boeing 737 MAX Grounding]

• Incident: In 2018, a coding error in the Boeing 737 MAX flight control system was not adequately reviewed, leading to two fatal crashes.
• Consequence: 346 lives lost, regulatory scrutiny, and global grounding of the 737 MAX fleet.
• Loss Amount: Indirect losses due to the grounding of the entire 737 MAX fleet, impacting Boeing’s reputation and financial standing.