As you’ve probably heard by now MITRE released their list of the 25 most dangerous programming errors. GovInfoSecurity had a nice post summarizing the announcement. SQLi is at the top of the list followed closely by OS Command Injection and Buffer Overflows. XSS and Missing Authentication also made the top five. As a quick reference here are the hooligans of the programing world.
- Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
- Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Missing Authentication for Critical Function
- Missing Authorization
- Use of Hard-coded Credentials
- Missing Encryption of Sensitive Data
- Unrestricted Upload of File with Dangerous Type
- Reliance on Untrusted Inputs in a Security Decision
- Execution with Unnecessary Privileges
- Cross-Site Request Forgery (CSRF)
- Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- Download of Code Without Integrity Check
- Incorrect Authorization
- Inclusion of Functionality from Untrusted Control Sphere
- Incorrect Permission Assignment for Critical Resource
- Use of Potentially Dangerous Function
- Use of a Broken or Risky Cryptographic Algorithm
- Incorrect Calculation of Buffer Size
- Improper Restriction of Excessive Authentication Attempts
- URL Redirection to Untrusted Site (‘Open Redirect’)
- Uncontrolled Format String
- Integer Overflow or Wraparound
- Use of a One-Way Hash without a Salt
You can find the full list and all the details on the 2011 Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors website. And if you haven’t already had enough acronyms, the Department of Homeland Security (DHS) and MITRE also released the Common Weakness Scoring System (CWSS) and the Common Weakness Risk Analysis Framework (CWRAF) to coincide with Top 25 announcement. These initiatives work hand-in-hand to help determine the the Top 25 list by identifying potential software vulnerabilities.
No related posts.
Loading ...