• E-mail this page
• |  Print this page
• | 
• | 
• | 

The List Developers Need To Know

There seems an almost endless number of mistakes that can be made to make applications susceptible to attack. Fortunately, the list of programming mistakes that really matter in today's risk environment is relatively small. Here's that list.

The list below was published today by the SANS Institute. The list is based on a consensus gathered by 30 U.S. and international security organizations, including US-CERT, the NSA, and several security vendors. There's no surprises in this list, other than the fact that it was possible for so many organizations to come to a consensus and agree on the top 25 mistakes developers make. What is surprising, however, is that after 20 years since the first widespread Internet attack -- the Morris Worm in 1998 to today's rampant number of security breaches and fraud -- so many junior varsity programming errors are still rampant.

There's no excuse for unvalidated inputs, yet there's that programming mistake at the top of the list. Nor is there much of an excuse for the breakdown of SQL Query structure, or the sending of sensitive data in cleartext. Hard-coding of passwords directly into the application, anyone? Ridiculous. It's also on the list.

Here they are, the programming gaffes the industry should take every effort possible to eradicate:

CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
CWE-319: Cleartext Transmission of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-362: Race Condition
CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642: External Control of Critical State Data
CWE-73: External Control of File Name or Path
CWE-426: Untrusted Search Path
CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
CWE-494: Download of Code Without Integrity Check
CWE-404: Improper Resource Shutdown or Release
CWE-665: Improper Initialization
CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-259: Hard-Coded Password
CWE-732: Insecure Permission Assignment for Critical Resource
CWE-330: Use of Insufficiently Random Values
CWE-250: Execution with Unnecessary Privileges
CWE-602: Client-Side Enforcement of Server-Side Security

« Microsoft's Fear Of BitTorrent | Main | MojoPortal A Solid CMS Option For .NET Shops »