There has been some 25 software coding errors that helped the Cyber criminals helped them to have access the site and accounts to nearly 1.5 million security breaches.
The SANS Institute in Maryland said that in 2008, just two of the errors led to more than 1.5m web site security breaches.
The organisations, which helped making the list, include the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document.
"The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," the BBC quoted Chris Wysopal, chief technology officer with Veracode.
SANS director, Mason Brown said: "There appears to be broad agreement on the programming errors. Now it is time to fix them. We need to make sure every programmer knows how to write code that is free of the top 25 errors."
While, most of the earlier advice focused on vulnerabilities that could have originated from programming errors, the 25 list examines the actual programming errors themselves.
The 25 Most Dangerous Programming Errors are:
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to
The SANS Institute in Maryland said that in 2008, just two of the errors led to more than 1.5m web site security breaches.
The organisations, which helped making the list, include the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document.
"The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," the BBC quoted Chris Wysopal, chief technology officer with Veracode.
SANS director, Mason Brown said: "There appears to be broad agreement on the programming errors. Now it is time to fix them. We need to make sure every programmer knows how to write code that is free of the top 25 errors."
While, most of the earlier advice focused on vulnerabilities that could have originated from programming errors, the 25 list examines the actual programming errors themselves.
The 25 Most Dangerous Programming Errors are:
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to
Preserve SQL Query Structure
CWE-20:Improper Input Validation
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-665:Improper Initialization
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security (ANI)
This List is produced by National Security Agency (NSA) and 30 other organisations to put forward the flaws.
CWE-20:Improper Input Validation
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-665:Improper Initialization
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security (ANI)
This List is produced by National Security Agency (NSA) and 30 other organisations to put forward the flaws.
Posts
No comments:
Post a Comment