SQLAuthority News – CWE/SANS TOP 25 Most Dangerous Programming Errors

I just came across very interesting article from SANS Institute. Experts from more than 30 US and international cyber security organizations have released list of 25 most dangerous programming errors and their resolution. It may be possible that many of the programmers may not understand what this errors are and how to implement their solution. As said this are 25 most dangerous errors and all the developers should atleast know what they are so they do not are prevented from origin. Here are four major advantages listed by SANS.

  • Software buyers will be able to buy much safer software.
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code.

Following is the list of 25 most dangerous programming errors.

CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
CWE-319: Cleartext Transmission of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-362: Race Condition
CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642: External Control of Critical State Data
CWE-73: External Control of File Name or Path
CWE-426: Untrusted Search Path
CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
CWE-494: Download of Code Without Integrity Check
CWE-404: Improper Resource Shutdown or Release
CWE-665: Improper Initialization
CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-259: Hard-Coded Password
CWE-732: Insecure Permission Assignment for Critical Resource
CWE-330: Use of Insufficiently Random Values
CWE-250: Execution with Unnecessary Privileges
CWE-602: Client-Side Enforcement of Server-Side Security

Please go to SANS site and click on each error to find their resolution.

Reference : Pinal Dave (http://blog.SQLAuthority.com), list of 25 most dangerous programming errors

About these ads

3 thoughts on “SQLAuthority News – CWE/SANS TOP 25 Most Dangerous Programming Errors

  1. Hi, The report is a good example of how the programmers do go wrong in their programming. Programmers think that writing codes itself is their duty but the real art of programming is writing with security in mind. People are from the beginning days of learning programming, are not taught how to develop a secured application this is because they think it is the feature and automatically looked after by the compiler. And also programmers think that Updating their computers and operating systems it self is the security, but the bugs they write in their programs create vulnerabilities which the hackers look for. For more information about the vulnerabilities and prevention:http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s