from http://www.sans.org/top25errors/
see also: http://news.bbc.co.uk/2/hi/technology/7824939.stm<p>What Errors Are Included in the Top 25?
The Top 25 Errors are listed below in three categories:<p><pre><code> * Category: Insecure Interaction Between Components (9 errors)
* Category: Risky Resource Management (9 errors)
* Category: Porous Defenses (7 errors)
</code></pre>
Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following:<p><pre><code> * links to the full CWE entry data,
* data fields for weakness prevalence and consequences,
* remediation cost,
* ease of detection,
* attack frequency and attacker awareness
* related CWE entries
* related patterns of attack for this weakness.
</code></pre>
Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation<p>It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations...MORE >>
CWE-116: Improper Encoding or Escaping of Output<p>Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days...MORE >>
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')<p>If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')<p>Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')<p>When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>
CWE-319: Cleartext Transmission of Sensitive Information<p>If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many...MORE >>
CWE-352: Cross-Site Request Forgery (CSRF)<p>With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>
CWE-362: Race Condition<p>Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>
CWE-209: Error Message Information Leak<p>If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>
CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer<p>Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>
CWE-642: External Control of Critical State Data<p>There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can...MORE >>
CWE-73: External Control of File Name or Path<p>When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... MORE >>
CWE-426: Untrusted Search Path<p>If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time...MORE >>
CWE-94: Failure to Control Generation of Code (aka 'Code Injection')<p>For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when...MORE >>
CWE-494: Download of Code Without Integrity Check<p>You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>
CWE-404: Improper Resource Shutdown or Release<p>When your precious system resources have reached their end-of-life, you need to...MORE >>
CWE-665: Improper Initialization<p>Just as you should start your day with a healthy breakfast, proper initialization helps to ensure...MORE >>
CWE-682: Incorrect Calculation<p>When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to...MORE >>
CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)<p>If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>
CWE-327: Use of a Broken or Risky Cryptographic Algorithm<p>You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>
CWE-259: Hard-Coded Password<p>Hard-coding a secret account and password into your software's authentication module is...MORE >>
CWE-732: Insecure Permission Assignment for Critical Resource<p>If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>
CWE-330: Use of Insufficiently Random Values<p>If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank...MORE >>
CWE-250: Execution with Unnecessary Privileges<p>Spider Man, the well-known comic superhero, lives by the motto "With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky...MORE >>
CWE-602: Client-Side Enforcement of Server-Side Security<p>Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls...MORE >>
Resources to Help Eliminate The Top 25 Errors<p>The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
www.sans.org/top25
cwe.mitre.org/top25/<p>MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/<p>SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
Email spa@sans.org for details
And see www.sans-ssi.org/certification/ for the GSSP Blueprints<p>SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf