Hi Vincent,
While not a overview, you can find language specific weaknesses for
C, Java, C++, and PHP on the "Other Views" page of the Common
Weakness Enumeration (CWE) Project (see
http://cwe.mitre.org/data/other.html).
The "List" items give the names of the issues, the "Slice" gives a
concatenated set of the write-ups of those items, and the "XML" will
give you a concatenated extract of the XML for those items versus
hunting for them in the complete XML for CWE.
These aren't specific to web application issues so there will be some
pruning of the list for your purposes. One way to focus the list
would be to correlate them with the CWEs listed in the OWASP Top 10
as a start, which is another list on the above page that has 24 items
listed but some of them are not language specific so they would be in
addition to the others.
The above lists include 56 for C, Java has 70, C++ has 58, and PHP has 10.
You still need to add to that issues that apply to all languages
versus these lists of language specific weaknesses and C and C++ have
significant overlap given their relationship.
Regards,
Bob Martin
CWE Project Leader
MITRE Corporation
P.S. Comments and suggestions for new items, clarifications, or
additional examples are welcome for this community effort either
directly to [EMAIL PROTECTED] or through the cwe-research-list which you
can sign-up for on the site.
At 1:16 PM +0100 2/4/08, Vincent Verhagen wrote:
>Hi all,
>
>I was referred to this list by a fellow security consultant for this
>specific question. Please forgive me if this is the wrong forum :)
>
>We're in the process of creating a kind of handbook for third parties
>that develop web applications for us.
>One (quite extensive, I'm happy to report) chapter will be about
>security and for that I'm looking for a comparison of common
>programming/scripting languages (PHP, C variants, JAVA, etc) their
>specific risks and why or why not to use them.
>Has anyone created such an overview I could use as a basis to work from?
>
>Thanks in advance!
>
>Vincent Verhagen
>Simac ICT Netherlands
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___