13Jan2009 (UTC +8) I think it's a great list. Not original though, because the OWASP guys have been working on something like that already for some time now. As long as they get the word out, then IT people can get it right the first time, and in their effort, help make the word a better place.
If the list below was properly addressed by web developers today, it makes Internet penetration testing a lot more challenging... and definitely weed out the wannabees. On 1/13/09, Gabriel H. Mercado <[email protected]> wrote: > This is somewhat OT, but I just wanted to ask the list what they think about > the 'THE TOP 25 MOST DANGEROUS PROGRAMMING ERRORS' accdg. to The US > National Security Agency, article here: > http://news.bbc.co.uk/2/hi/technology/7824939.stm > > CWE-20:Improper Input Validation > CWE-116:Improper Encoding or Escaping of Output > CWE-89:Failure to Preserve SQL Query Structure > CWE-79:Failure to Preserve Web Page Structure > CWE-78:Failure to Preserve OS Command Structure > CWE-319:Cleartext Transmission of Sensitive Information > CWE-352:Cross-Site Request Forgery > CWE-362:Race Condition > CWE-209:Error Message Information Leak > CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer > CWE-642:External Control of Critical State Data > CWE-73:External Control of File Name or Path > CWE-426:Untrusted Search Path > CWE-94:Failure to Control Generation of Code > CWE-494:Download of Code Without Integrity Check > CWE-404:Improper Resource Shutdown or Release > CWE-665:Improper Initialization > CWE-682:Incorrect Calculation > CWE-285:Improper Access Control > CWE-327:Use of a Broken or Risky Cryptographic Algorithm > CWE-259:Hard-Coded Password > CWE-732:Insecure Permission Assignment for Critical Resource > CWE-330:Use of Insufficiently Random Values > CWE-250:Execution with Unnecessary Privileges > CWE-602:Client-Side Enforcement of Server-Side Security > Source: SANS Institute Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
