[Owasp-ireland] "Dangerous coding errors revealed"

Brian Honan brian.honan at bhconsulting.ie
Tue Jan 13 18:12:48 EST 2009

Hash: SHA1


Interesting thoughts.   

My initial thinking when I saw the list was that this was a good move.  In
particular given the people involved and the organisations they represent,
including OWASP. 

My main concern is that people responsible for developing, implementing and
managing code need to be made aware of the issues.  The problem though as
most of us know is that the pressure is on developers to deliver apps to
deadlines that in most cases do not provide enough time to ensure proper
development practises have been followed, never mind secure coding practise.

Therefore the more publicity and coverage any list can get has to be

Perhaps, following on from your thoughts it might be worthwhile for a matrix
showing the commonalities across the three lists which in turn would
highlight differences?

Just my 2c - As a disclaimer to the above I am on the Board of Editors for
the SANS NewsBites newsletter so may have a bias in favour of the work they



- -----Original Message-----
From: owasp-ireland-bounces at lists.owasp.org
[mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of davidrook
Sent: Tuesday, January 13, 2009 2:41 PM
To: owasp-ireland at lists.owasp.org
Subject: [Owasp-ireland] "Dangerous coding errors revealed"

Hi everyone,

Sans today published its top 25 coding errors today, the full list can
be found here: http://news.bbc.co.uk/2/hi/technology/7824939.stm

Perhaps my OWASP involvement means I'm biased but do you feel that
another list of software coding flaws is required? I quickly (so pick me
up on errors!) marked the OWASP category I felt each Sans error falls
under and it did leave me to ask the question of why do we need another
list? We will now 3 main lists (again correct me if you feel I'm missing
anything) from OWASP, White Hat Sec and Sans respectively with each
lists content different to the others.

Does this give people guidance or does it bring confusion?

My quick mapping between Sans and OWASP (A1 - 10 represent the OWASP top
10 http://www.owasp.org/index.php/Top_10_2007) :

CWE-20:Improper Input Validation (A2)
CWE-116:Improper Encoding or Escaping of Output (A6)
CWE-89:Failure to Preserve SQL Query Structure (A2)
CWE-79:Failure to Preserve Web Page Structure (?)
CWE-78:Failure to Preserve OS Command Structure (A2)
CWE-319:Cleartext Transmission of Sensitive Information (A9)
CWE-352:Cross-Site Request Forgery (A5)
CWE-362:Race Condition (?)
CWE-209:Error Message Information Leak (A6)
CWE-119:Failure to Constrain Operations within the Bounds of a Memory
Buffer (A2)
CWE-642:External Control of Critical State Data (A7)
CWE-73:External Control of File Name or Path (A4)
CWE-426:Untrusted Search Path (A4)
CWE-94:Failure to Control Generation of Code (A3?)
CWE-494:Download of Code Without Integrity Check (A4?)
CWE-404:Improper Resource Shutdown or Release (?)
CWE-665:Improper Initialization (?)
CWE-682:Incorrect Calculation (?)
CWE-285:Improper Access Control (A7)
CWE-327:Use of a Broken or Risky Cryptographic Algorithm (A8)
CWE-259:Hard-Coded Password (A7/A8?)
CWE-732:Insecure Permission Assignment for Critical Resource (A7)
CWE-330:Use of Insufficiently Random Values (A7?)
CWE-250:Execution with Unnecessary Privileges (A7)
CWE-602:Client-Side Enforcement of Server-Side Security (Could lead to A1?)

Let me know what you think, and of course correct me/add to this as you
see fit.



- -- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
|t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com 

1 Lyric Square, London W6 0NB
t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk 

27 avenue de l'Opéra, 75001 Paris. 
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51

Visit our other Realex Payments websites: 

Pay and Shop Limited, trading as Realex Payments has its registered office
at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
registered in Ireland, company number 324929. 

This mail and any documents attached are classified as confidential and are
intended for use by the addressee(s) only unless otherwise indicated. If you
are not an intended recipient of this email, you must not use, disclose,
copy, distribute or retain this message or any part of it. If you have
received this email in error, please notify us immediately and delete all
copies of this email from your computer system(s).

Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org

Version: PGP Desktop 9.9.1 (Build 287)
Charset: iso-8859-1


More information about the Owasp-ireland mailing list