Sunday, July 10, 2011

25 Most Dangerous Software Errors

FWIW, these are the 25 most dangerous software errors, according to CWE/SANS.
  1. 93.8% Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  2. 83.3% Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  3. 79.0% Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  4. 77.7% Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  5. 76.9% Missing Authentication for Critical Function
  6. 76.8% Missing Authorization
  7. 75.0% Use of Hard-coded Credentials
  8. 75.0% Missing Encryption of Sensitive Data
  9. 74.0% Unrestricted Upload of File with Dangerous Type
  10. 73.8% Reliance on Untrusted Inputs in a Security Decision
  11. 73.1% Execution with Unnecessary Privileges
  12. 70.1% Cross-Site Request Forgery (CSRF)
  13. 69.3% Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  14. 68.5% Download of Code Without Integrity Check
  15. 67.8% Incorrect Authorization
  16. 66.0% Inclusion of Functionality from Untrusted Control Sphere
  17. 65.5% Incorrect Permission Assignment for Critical Resource
  18. 64.6% Use of Potentially Dangerous Function
  19. 64.1% Use of a Broken or Risky Cryptographic Algorithm
  20. 62.4% Incorrect Calculation of Buffer Size
  21. 61.5% Improper Restriction of Excessive Authentication Attempts
  22. 61.1% URL Redirection to Untrusted Site ('Open Redirect')
  23. 61.0% Uncontrolled Format String
  24. 60.3% Integer Overflow or Wraparound
  25. 59.9% Use of a One-Way Hash without a Salt
    Posted by Christopher Dunn at 2:32 PM
    Labels:

    1 comment:

    1. Christopher DunnJuly 10, 2011 at 11:42 PM

      Here is a Google app that actually teaches XSS and SQL injection:

      https://google-gruyere.appspot.com/

      ReplyDelete

    Subscribe to: Post Comments (Atom)