De la mano de CWE y SANS, nos llega un amplio documento donde documentan, valga la redundancia, los 25 errores de programación más peligrosos del 2010. Dónde peligroso significa, errores ampliamente extendidos y fáciles de encontrar y explotar. La tabla de contenido del documento es la siguiente:
Guidance for Using the Top 25 Brief Listing of the Top 25 Category-Based View of the Top 25 Focus Profiles Organization of the Top 25 Detailed CWE Descriptions Monster Mitigations Appendix A: Selection Criteria and Supporting Fields Appendix B: What Changed in the 2010 Top 25 Appendix C: Construction, Selection, and Scoring of the Top 25 Appendix D: Comparison to OWASP Top Ten 2010 RC1 Appendix E: Other Resources for the Top 25 Changes to This Document El listado resumido de los 25 errores: Rank Score ID Name [1] 346 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') [2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') [3] 273 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 261 CWE-352 Cross-Site Request Forgery (CSRF) [5] 219 CWE-285 Improper Access Control (Authorization) [6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision [7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type [9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') [10] 188 CWE-311 Missing Encryption of Sensitive Data [11] 176 CWE-798 Use of Hard-coded Credentials [12] 158 CWE-805 Buffer Access with Incorrect Length Value [13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [14] 156 CWE-129 Improper Validation of Array Index [15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions [16] 154 CWE-209 Information Exposure Through an Error Message [17] 154 CWE-190 Integer Overflow or Wraparound [18] 153 CWE-131 Incorrect Calculation of Buffer Size [19] 147 CWE-306 Missing Authentication for Critical Function [20] 146 CWE-494 Download of Code Without Integrity Check [21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource [22] 145 CWE-770 Allocation of Resources Without Limits or Throttling [23] 142 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') [24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm [25] 138 CWE-362 Race Condition Desde aquí puedes descargar el documento en formato PDF.
Leer más