Michael Howard has a very good article on bad API calls to use when developing c/c++ applications.
"When the C runtime library (CRT) was first created about 25
years ago, the threats to computers were different; machines were not
as interconnected as they are today, and attacks were not as prevalent.
With this in mind, a subset of the C runtime library must be deprecated
for new code and, over time, removed from earlier code. It’s just too
easy to get code wrong that uses these outdated functions. Even some of
the classic replacement functions are prone to error, too.
This list is the SDL view of what comprises banned APIs; it is
derived from experience with real-world security bugs and focuses
almost exclusively on functions that can lead to buffer overruns
(Howard, LeBlanc, and Viega 2005). Any function in this section’s
tables must be replaced with a more secure version. Obviously, you
cannot replace a banned API with another banned API. For example,
replacing strcpy with strncpy is not valid because strncpy is banned,
too.
Also note that some of the function names might be a little
different, depending on whether the function takes ASCII, Unicode, _T
(ASCII or Unicode), or multibyte chars. Some function names might
include A or W at the end of the name. For example, the StrSafe
StringCbCatEx function is also available as StringCbCatExW (Unicode)
and StringCbCatExA (ASCII)."
Article Link: http://msdn2.microsoft.com/en-us/library/bb288454.aspx
