There is no fragment in program code where you cannot make mistakes. You may actually make them in very simple fragments. While programmers have worked out the habit of testing algorithms, data exchange mechanisms and interfaces, it's much worse concerning security testing. It is often implemented on the leftover principle. A programmer is thinking: "I just write a couple of lines now, and everything will be ok. And I don't even need to test it. The code is too simple to make a mistake there!". That's not right. Since you're working on security and writing some code for this purpose, test it as carefully!
Static code analysis is the process of detecting errors and defects in software's source code.
Static analysis can be viewed as an automated code review process. Let's speak on the code review now.
Code review is one of the oldest and safest methods of defect detection. It deals with joint attentive reading of the source code and giving recommendations on how to improve it. This process reveals errors or code fragments that can become errors in future. It is also considered that the code's author should not give explanations on how a certain program part works. The program's execution algorithm should be clear directly from the program text and comments. If it is not so, the code needs improving.
I have recently gotten a web application from a nasty contractor who claimed to be a good expert in programming. Unfortunately, we believed him. Functional of the web application seemed to work okay at first glance. However, once the client started using application in the real conditions the things went bad. The contractor has gone after a payment, and I have gotten his errors to fix for a client.
I decided to document a few errors that I found along the way. These are errors that every good programmer should already know to avoid… but obviously some people need to be reminded about them.