Hi Vincent,

While not a overview, you can find language specific weaknesses for 
C, Java, C++, and PHP on the "Other Views" page of the Common 
Weakness Enumeration (CWE) Project (see 

The "List" items give the names of the issues, the "Slice" gives a 
concatenated set of the write-ups of those items, and the "XML" will 
give you a concatenated extract of the XML for those items versus 
hunting for them in the complete XML for CWE.

These aren't specific to web application issues so there will be some 
pruning of the list for your purposes.  One way to focus the list 
would be to correlate them with the CWEs listed in the OWASP Top 10 
as a start, which is another list on the above page that has 24 items 
listed but some of them are not language specific so they would be in 
addition to the others.

The above lists include 56 for C, Java has 70, C++ has 58, and PHP has 10.

You still need to add to that issues that apply to all languages 
versus these lists of language specific weaknesses and C and C++ have 
significant overlap given their relationship.


Bob Martin
CWE Project Leader
MITRE Corporation

P.S. Comments and suggestions for new items, clarifications, or 
additional examples are welcome for this community effort either 
directly to [EMAIL PROTECTED] or through the cwe-research-list which you 
can sign-up for on the site.

At 1:16 PM +0100 2/4/08, Vincent Verhagen wrote:
>Hi all,
>I was referred to this list by a fellow security consultant for this
>specific question. Please forgive me if this is the wrong forum :)
>We're in the process of creating a kind of handbook for third parties
>that develop web applications for us.
>One (quite extensive, I'm happy to report) chapter will be about
>security and for that I'm looking for a comparison of common
>programming/scripting languages (PHP, C variants, JAVA, etc) their
>specific risks and why or why not to use them.
>Has anyone created such an overview I could use as a basis to work from?
>Thanks in advance!
>Vincent Verhagen
>Simac ICT Netherlands
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to