ABSTRACT

The use of deprecated or obsolete functions could indicate neglected code.

EXPLANATION

As programming languages evolve, functions occasionally become obsolete due to:

- Advances in the language

- Improved understanding of how operations should perform effectively and
securely

- Changes in the conventions that govern certain operations

Functions that are removed from a language are usually replaced by newer counterparts that perform the same task in some different and hopefully better way.

Example: The following code constructs a new SqlClientPermission object, which regulates how users are allowed to connect to a database. In this example, the program passes false as the second parameter to the constructor, which controls whether users are allowed to connect with blank passwords. Passing false to this parameter indicates that blank passwords should not be allowed.


...
SCP = new SqlClientPermission(pstate, false);
...


However, because the PermissionState object passed as the first parameter supersedes any value passed to the second parameter, the constructor allows blank passwords for database connections, which contradicts the the second argument. To disallow blank passwords, the program should pass PermissionState.None to the first parameter of the constructor. Because of the ambiguity in its functionality, the two-parameter version of the SqlClientPermission constructor has been deprecated in favor of the single parameter version, which conveys the same degree of information without the risk of misinterpretation.

Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 477