TOP 25 most dangerous programming errors
UPD: Night silent minuschikov - ardent greetings! =)
" Oh, those TOPs ... " - probably, you thought. But in this case, information security specialists from around the world got down to business - and they took it seriously. So if you are one way or another involved in software development, it will not be out of place to find out which fundamental errors are most often made when writing code and designing.
On January 12, a document titled 2009 CWE / SANS Top 25 Most Dangerous Programming Errors was published on The MITER Corporation website. This is the fruit of joint activities of very large organizations - the SANS Institute (stands for SysAdmin, Audit, Network, Security) and the MITER corporation. As always with projects that receive state. US support, everything is done very thoroughly.
Here is my free translation of the introduction to this document:
"Top 25 Most Dangerous Programming Errors" is a list of the most dangerous programming errors that can lead to serious software vulnerabilities. They are frequent, easy to find, and easy to use. They are dangerous because they often allow an attacker to fully control a program, steal data, or not allow a program to function at all.
This list is the result of collaboration between SANS Institute, MITER and many information security experts in the United States and Europe. The list uses the experience gained in compiling "Top 20 attack vectors" by the SANS Institute and "Common Weakness Enumeration (CWE)" by MITER. MITRE maintains a website dedicated to CWE, supported by the National Cyber Security Division’s US Department of Homeland Security ( I’m not going to translate this ), providing detailed descriptions of 25 major programming errors along with authoritative recommendations on how to mitigate and avoid them. The CWE site also contains data on more than 700 other programming, design, and architecture errors that could lead to vulnerabilities.
The main goal of this list is to eliminate vulnerabilities right in the bud, teaching programmers how to eliminate the most common errors before software is released. The list will be a tool for learning and awareness that will help programmers prevent the types of vulnerabilities that affect the software development industry. Software customers can use the same list to place higher demands on software security. Finally, project managers and CIO (Chief Information Officer) can use this TOP 25 to measure success in ensuring the security of their programs.
')
Actually, I'd rather give a list of errors without translation:
There are some components, modules, programs, processes, threads, or systems.
* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
* CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
* CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak
The weaknesses in this software are not limited.
* CWE-119: Failure to Constrain Operations
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation
This weaknesses are often misused, abused, or just plain ignored.
* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security
For those who are friends with English, I highly recommend reading the original list, because there are valuable tips on how to avoid all these mistakes. But even a simple meditation on this post will greatly increase the security of your code, and perhaps your program can even successfully complete an infinite loop. Twice.
" Oh, those TOPs ... " - probably, you thought. But in this case, information security specialists from around the world got down to business - and they took it seriously. So if you are one way or another involved in software development, it will not be out of place to find out which fundamental errors are most often made when writing code and designing.
On January 12, a document titled 2009 CWE / SANS Top 25 Most Dangerous Programming Errors was published on The MITER Corporation website. This is the fruit of joint activities of very large organizations - the SANS Institute (stands for SysAdmin, Audit, Network, Security) and the MITER corporation. As always with projects that receive state. US support, everything is done very thoroughly.
Here is my free translation of the introduction to this document:
"Top 25 Most Dangerous Programming Errors" is a list of the most dangerous programming errors that can lead to serious software vulnerabilities. They are frequent, easy to find, and easy to use. They are dangerous because they often allow an attacker to fully control a program, steal data, or not allow a program to function at all.
This list is the result of collaboration between SANS Institute, MITER and many information security experts in the United States and Europe. The list uses the experience gained in compiling "Top 20 attack vectors" by the SANS Institute and "Common Weakness Enumeration (CWE)" by MITER. MITRE maintains a website dedicated to CWE, supported by the National Cyber Security Division’s US Department of Homeland Security ( I’m not going to translate this ), providing detailed descriptions of 25 major programming errors along with authoritative recommendations on how to mitigate and avoid them. The CWE site also contains data on more than 700 other programming, design, and architecture errors that could lead to vulnerabilities.
The main goal of this list is to eliminate vulnerabilities right in the bud, teaching programmers how to eliminate the most common errors before software is released. The list will be a tool for learning and awareness that will help programmers prevent the types of vulnerabilities that affect the software development industry. Software customers can use the same list to place higher demands on software security. Finally, project managers and CIO (Chief Information Officer) can use this TOP 25 to measure success in ensuring the security of their programs.
')
Actually, I'd rather give a list of errors without translation:
Insecure Interaction Between Components
There are some components, modules, programs, processes, threads, or systems.
* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
* CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
* CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak
Risky Resource Management
The weaknesses in this software are not limited.
* CWE-119: Failure to Constrain Operations
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation
Porous defenses
This weaknesses are often misused, abused, or just plain ignored.
* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security
For those who are friends with English, I highly recommend reading the original list, because there are valuable tips on how to avoid all these mistakes. But even a simple meditation on this post will greatly increase the security of your code, and perhaps your program can even successfully complete an infinite loop. Twice.
Source: https://habr.com/ru/post/50046/
All Articles