Announcement

Collapse
No announcement yet.

Top 25 most dangerous programmer errors

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Top 25 most dangerous programmer errors

    This was a fun list. I think an interesting question is: how many of these can be solved by using something better than C? Not many I guess, heh. Overall these seem to be "no shit sherlock" sort of problems, but they are still frequent...

    http://www.sans.org/top25errors//?cat=top25

    Here's the list:
    1. Improper Input Validation
    2. Improper Encoding or Escaping of Output
    3. Failure to Preserve SQL Query Structure (aka 'SQL Injection')
    4. Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
    5. Failure to Preserve OS Command Structure (aka 'OS Command Injection')
    6. Cleartext Transmission of Sensitive Information
    7. Cross-Site Request Forgery (CSRF)
    8. Race Condition
    9. Error Message Information Leak
    10. Failure to Constrain Operations within the Bounds of a Memory Buffer
    11. External Control of Critical State Data
    12. External Control of File Name or Path
    13. Untrusted Search Path
    14. Failure to Control Generation of Code (aka 'Code Injection')
    15. Download of Code Without Integrity Check
    16. Improper Resource Shutdown or Release
    17. Improper Initialization
    18. Incorrect Calculation
    19. Improper Access Control (Authorization)
    20. Use of a Broken or Risky Cryptographic Algorithm
    21. Hard-Coded Password
    22. Insecure Permission Assignment for Critical Resource
    23. Use of Insufficiently Random Values
    24. Execution with Unnecessary Privileges
    25. Client-Side Enforcement of Server-Side Security
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Top 25 most dangerous programmer errors

    Almost every single one of these has a failure in trust:
    * Failure to validate trust
    * Failure to establish trust
    * Failure to maintain trust
    * Failure to use a model that provides adequate trust
    * Failure to use infrastructure of trust properly

    Nice link Bascule. Now I am trying to think of how many times I've encountered each of the above in other people's code, and my own code. 0:-)

    Comment


    • #3
      Re: Top 25 most dangerous programmer errors

      Originally posted by TheCotMan View Post
      Almost every single one of these has a failure in trust
      They actually broke it down into 3 categories, which it might've been nice to include:
      1. Insecure Interaction Between Components
      2. Risky Resource Management
      3. Porous Defenses


      Although I'd like to add one to your list: Failure to trust a garbage collector
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
      [ redacted ]

      Comment

      Working...
      X