Yes, I definitely agree. Hopefully, various secure software development and security awareness initiatives being implemented by companies today will reasonably reduce programming-related vulnerabilities in their applications.
-- Cheers, *Christian Masancay, CISM CISSP CISA GSEC CPA* Information Security/IT Assurance Consultant ISO 27001:2005 (ISMS) Provisional Auditor | MCSE: Security | Security+ | CCNA | MCDBA | MCSD .NET PGP Fingerprint: 9048 CAB8 3E9E 21F1 215A A5C3 D86B AB87 614B D88E /"Security is only as strong as the weakest link."/ http://www.infosec.ph (Information Security and IT News) Drexx Laggui [personal] wrote: > 13Jan2009 (UTC +8) > > I think it's a great list. Not original though, because the OWASP guys > have been working on something like that already for some time now. As > long as they get the word out, then IT people can get it right the > first time, and in their effort, help make the word a better place. > > If the list below was properly addressed by web developers today, it > makes Internet penetration testing a lot more challenging... and > definitely weed out the wannabees. > > > On 1/13/09, Gabriel H. Mercado <[email protected]> wrote: > >> This is somewhat OT, but I just wanted to ask the list what they think about >> the 'THE TOP 25 MOST DANGEROUS PROGRAMMING ERRORS' accdg. to The US >> National Security Agency, article here: >> http://news.bbc.co.uk/2/hi/technology/7824939.stm >> >> CWE-20:Improper Input Validation >> CWE-116:Improper Encoding or Escaping of Output >> CWE-89:Failure to Preserve SQL Query Structure >> CWE-79:Failure to Preserve Web Page Structure >> CWE-78:Failure to Preserve OS Command Structure >> CWE-319:Cleartext Transmission of Sensitive Information >> CWE-352:Cross-Site Request Forgery >> CWE-362:Race Condition >> CWE-209:Error Message Information Leak >> CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer >> CWE-642:External Control of Critical State Data >> CWE-73:External Control of File Name or Path >> CWE-426:Untrusted Search Path >> CWE-94:Failure to Control Generation of Code >> CWE-494:Download of Code Without Integrity Check >> CWE-404:Improper Resource Shutdown or Release >> CWE-665:Improper Initialization >> CWE-682:Incorrect Calculation >> CWE-285:Improper Access Control >> CWE-327:Use of a Broken or Risky Cryptographic Algorithm >> CWE-259:Hard-Coded Password >> CWE-732:Insecure Permission Assignment for Critical Resource >> CWE-330:Use of Insufficiently Random Values >> CWE-250:Execution with Unnecessary Privileges >> CWE-602:Client-Side Enforcement of Server-Side Security >> Source: SANS Institute >> > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA > http://www.laggui.com ( Singapore / Manila / California ) > Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph >
0x614BD88E.asc
Description: application/pgp-keys
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
