The United States National Security Agency (NSA) has released a list of the top 25 coding errors that have landed coders and webmasters into hot water.
The SANS institute located in Maryland reported that "1.5 million websites were breached" because of two types of coding errors that are on the list. These errors are so malicious and commonly made that the NSA, the Department of Homeland Security, Microsoft, Symantec and many more published a list, a first of its kind, to help out developers as they are coding.
The list is hoped to help those coders and upcoming coders from making the mistakes that veteran coders learned the hard way. With more awareness of common, but serious, coding errors everyone will benefit from the knowledge and consumer's data will remain safe.
- CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security
18 Comments - Add comment