Hi Vincent, While not a overview, you can find language specific weaknesses for C, Java, C++, and PHP on the "Other Views" page of the Common Weakness Enumeration (CWE) Project (see http://cwe.mitre.org/data/other.html).
The "List" items give the names of the issues, the "Slice" gives a concatenated set of the write-ups of those items, and the "XML" will give you a concatenated extract of the XML for those items versus hunting for them in the complete XML for CWE. These aren't specific to web application issues so there will be some pruning of the list for your purposes. One way to focus the list would be to correlate them with the CWEs listed in the OWASP Top 10 as a start, which is another list on the above page that has 24 items listed but some of them are not language specific so they would be in addition to the others. The above lists include 56 for C, Java has 70, C++ has 58, and PHP has 10. You still need to add to that issues that apply to all languages versus these lists of language specific weaknesses and C and C++ have significant overlap given their relationship. Regards, Bob Martin CWE Project Leader MITRE Corporation P.S. Comments and suggestions for new items, clarifications, or additional examples are welcome for this community effort either directly to [EMAIL PROTECTED] or through the cwe-research-list which you can sign-up for on the site. At 1:16 PM +0100 2/4/08, Vincent Verhagen wrote: >Hi all, > >I was referred to this list by a fellow security consultant for this >specific question. Please forgive me if this is the wrong forum :) > >We're in the process of creating a kind of handbook for third parties >that develop web applications for us. >One (quite extensive, I'm happy to report) chapter will be about >security and for that I'm looking for a comparison of common >programming/scripting languages (PHP, C variants, JAVA, etc) their >specific risks and why or why not to use them. >Has anyone created such an overview I could use as a basis to work from? > >Thanks in advance! > >Vincent Verhagen >Simac ICT Netherlands > >_______________________________________________ >Secure Coding mailing list (SC-L) SC-L@securecoding.org >List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >List charter available at - http://www.securecoding.org/list/charter.php >SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >as a free, non-commercial service to the software security community. >_______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________