I look at those things and I fear that people will look at it as “Oh, as long as I do these n items I’m fine.” Those people convince themselves they’re safe when they’re not. If your application has error #26, or #52, or #375, it’s still broken, it’s still insecure. The attackers don’t care if your application has RFI, SQL injection, or has a backdoor account. Anything that lets them in is fine.
In my mind I criticize these kinds of lists but really I think usually the people that make those kinds of lists are earnestly trying to help people and improve the situation. I just think their approach is futile. Then I ask myself if I have a better solution and of course I don’t.
I wonder how long each of the programming errors on that list have been spoken about on the Internet as a hazard. I’m sure each one has been discussed ad nauseum on lists like this for a few years at least. Still, we have programmers who don’t care, programmers who don’t bother reading the list, programmers not aware of the list, and “programmers” who wouldn’t understand the list if it were right in front of them. There is an endless supply of new, bad, and apathetic programmers to replace any corrected by such lists.
Do lists like this make things any better?