18. Februar 2010

Top 25 Most Dangerous Programming Errors 2010

Category: Offtopic,Work — Christian @ 22:41

Mir sind zufällig zwei Links sehr zeitnah in die Hände gefallen: die Top 25 Programmierfehler und die Top 25 Ausreden der Programmierer. Da lag es irgendwie nahe, aus diesen beiden Tabellen eine gemeinsame zu machen 😉

Rank Score ID Name Excuse
[1] 346 CWE-79 Failure to Preserve Web Page Structure (‚Cross-site Scripting‘) Of course, I just have to do these small fixes.
[2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command (‚SQL Injection‘) It will be done in no time at all.
[3] 273 CWE-120 Buffer Copy without Checking Size of Input (‚Classic Buffer Overflow‘) Didn’t I fix it already?
[4] 261 CWE-352 Cross-Site Request Forgery (CSRF) How is this possible?
[5] 219 CWE-285 Improper Access Control (Authorization) Well, the program needs some fixing.
[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision It’s already there, but it has not been tested.
[7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‚Path Traversal‘) I’m almost ready.
[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type The user has made an error again.
[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command (‚OS Command Injection‘) There is something wrong in your test data.
[10] 188 CWE-311 Missing Encryption of Sensitive Data Yes yes, it will be ready in time.
[11] 176 CWE-798 Use of Hard-coded Credentials You must have the wrong executable.
[12] 158 CWE-805 Buffer Access with Incorrect Length Value I can’t test everything!
[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‚PHP File Inclusion‘) I have not touched that module!
[14] 156 CWE-129 Improper Validation of Array Index I’ve never heard about that.
[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions It did work yesterday.
[16] 154 CWE-209 Information Exposure Through an Error Message Strange…
[17] 154 CWE-190 Integer Overflow or Wraparound The machine seems to be broken.
[18] 153 CWE-131 Incorrect Calculation of Buffer Size Somebody must have changed my code.
[19] 147 CWE-306 Missing Authentication for Critical Function It works, but it’s not been tested.
[20] 146 CWE-494 Download of Code Without Integrity Check There must be a virus in the application software.
[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource Has the operating system been updated?
[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling Even though it does not work, how does it feel?
[23] 142 CWE-601 URL Redirection to Untrusted Site (‚Open Redirect‘) THIS can’t do THAT.
[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm Oh, it’s just a feature.
[25] 138 CWE-362 Race Condition It’s just some unlucky coincidense.

Und meine Vorhersage für 2010, 2011 und 2012: das wird sich nicht bessern!