NSA Helps Name Most Dangerous Programming Mistakes



  • I spotted this via digg and the link below:

    The page with the 25 most dangerous programming mistakes is not working at the moment, so in no particular order:

    1. Improper Input Validation
    2. Improper Encoding or Escaping of Output
    3. Failure to Preserve SQL Query Structure (aka 'SQL Injection')
    4. Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
    5. Failure to Preserve OS Command Structure (aka 'OS Command Injection')
    6. Cleartext Transmission of Sensitive Information
    7. Cross-Site Request Forgery (CSRF)
    8. Race Condition
    9. Error Message Information Leak
    10. Failure to Constrain Operations within the Bounds of a Memory Buffer
    11. External Control of Critical State Data
    12. External Control of File Name or Path
    13. Untrusted Search Path
    14. Failure to Control Generation of Code (aka 'Code Injection')
    15. Download of Code Without Integrity Check
    16. Improper Resource Shutdown or Release
    17. Improper Initialization
    18. Incorrect Calculation
    19. Improper Access Control (Authorization)
    20. Use of a Broken or Risky Cryptographic Algorithm
    21. Hard-Coded Password
    22. Insecure Permission Assignment for Critical Resource
    23. Use of Insufficiently Random Values
    24. Execution with Unnecessary Privileges
    25. Client-Side Enforcement of Server-Side Security

    Anyone agree or disagree with these?

    Rob


  • Discourse touched me in a no-no place


  • Discourse touched me in a no-no place

     

    The only reason theese are the most dangerous miistakes is because
    90% of developers don't fucking know what they're fucking doing. I can
    count on... One finger the number of those which were touched upon in
    my formal education. (Penn State IST Systems Design and Development, to
    name and shame the relevant people)

     The one that we DID cover is input validation... But I suspect the only reason that was covered is because it's the Duh Example for exception handling.

     Everything else I learned about security, I learned on my own time and dime - and the only reason I did that is because I'm personally extremely paranoid. 



  • @Weng said:

     The one that we DID cover is input validation... But I suspect the only reason that was covered is because it's the Duh Example for exception handling.
    Any program that doesn't cover race conditions should be burned to the ground, the ashes mixed into concrete and dropped into the Marianas Trench.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.