12Jan/090

Top 25 Dangerous Programming Errors

Presenting the "CWE/SANS TOP 25 Most Dangerous Programming Errors" (more detail and pdf available here ).

This is an excellent, excellent list of very common programming errors that can and should always be easily avoided by the use of common sense and paying attention to what we're doing. They're presented in three categories: Insecure Interaction Between Components (think XSS), Risky Resource Management, and Porous Defenses.

CATEGORY: Insecure Interaction Between Components

  • CWE-20: Improper Input Validation
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
  • CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
  • CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-362: Race Condition
  • CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management

  • CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642: External Control of Critical State Data
  • CWE-73: External Control of File Name or Path
  • CWE-426: Untrusted Search Path
  • CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
  • CWE-494: Download of Code Without Integrity Check
  • CWE-404: Improper Resource Shutdown or Release
  • CWE-665: Improper Initialization
  • CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses

  • CWE-285: Improper Access Control (Authorization)
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259: Hard-Coded Password
  • CWE-732: Insecure Permission Assignment for Critical Resource
  • CWE-330: Use of Insufficiently Random Values
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-602: Client-Side Enforcement of Server-Side Security

Read the full article and please use this list on your next software project. If you need further information and/or assistance in securing your code, OWASP is a great resource, check them out and help to support them.

Filed under: Security Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


No trackbacks yet.

« Dependency Injection and Inversion of Control CSS Opacity Tip »
twitter delicious
safe to click,
no evil Javascript on these links

Menu

Ubuntu Linux

Gentoo Linux

LinuxChix button

Recent Posts

Geek News RSS