[Owasp-ireland] "Dangerous coding errors revealed"

Eoin eoin.keary at owasp.org
Tue Jan 13 18:36:37 EST 2009


In addition to this discussion a just to highlight a new project called the
"OWASP Code review Top 10".
It is more related to the source of vulnerabilities as opposed to the
vulnerabilities themselves (ala OWASP Top 10).

http://www.owasp.org/index.php/The_Owasp_Code_Review_Top_10_flaw_categories

A motto I have always had is "Security @ Source" which means the "makeup" of
the entity (software) must be stable and not have any "genetic defects"
(software flaws)..... Think Darwin in the software dev world. Weak software
gets compromised and infected due to inherent weakness in its conception.


Lets talk about this @ OWASP Ireland 2009 @ TCD Dublin on the 28/8/2009!!!!








2009/1/13 Brian Honan <brian.honan at bhconsulting.ie>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave
>
> Interesting thoughts.
>
> My initial thinking when I saw the list was that this was a good move.  In
> particular given the people involved and the organisations they represent,
> including OWASP.
>
> My main concern is that people responsible for developing, implementing and
> managing code need to be made aware of the issues.  The problem though as
> most of us know is that the pressure is on developers to deliver apps to
> deadlines that in most cases do not provide enough time to ensure proper
> development practises have been followed, never mind secure coding
> practise.
>
> Therefore the more publicity and coverage any list can get has to be
> welcomed.
>
> Perhaps, following on from your thoughts it might be worthwhile for a
> matrix
> showing the commonalities across the three lists which in turn would
> highlight differences?
>
> Just my 2c - As a disclaimer to the above I am on the Board of Editors for
> the SANS NewsBites newsletter so may have a bias in favour of the work they
> do.
>
> Regards
>
> Brian
>
> - -----Original Message-----
> From: owasp-ireland-bounces at lists.owasp.org
> [mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of davidrook
> Sent: Tuesday, January 13, 2009 2:41 PM
> To: owasp-ireland at lists.owasp.org
> Subject: [Owasp-ireland] "Dangerous coding errors revealed"
>
> Hi everyone,
>
> Sans today published its top 25 coding errors today, the full list can
> be found here: http://news.bbc.co.uk/2/hi/technology/7824939.stm
>
> Perhaps my OWASP involvement means I'm biased but do you feel that
> another list of software coding flaws is required? I quickly (so pick me
> up on errors!) marked the OWASP category I felt each Sans error falls
> under and it did leave me to ask the question of why do we need another
> list? We will now 3 main lists (again correct me if you feel I'm missing
> anything) from OWASP, White Hat Sec and Sans respectively with each
> lists content different to the others.
>
> Does this give people guidance or does it bring confusion?
>
> My quick mapping between Sans and OWASP (A1 - 10 represent the OWASP top
> 10 http://www.owasp.org/index.php/Top_10_2007) :
>
> CWE-20:Improper Input Validation (A2)
> CWE-116:Improper Encoding or Escaping of Output (A6)
> CWE-89:Failure to Preserve SQL Query Structure (A2)
> CWE-79:Failure to Preserve Web Page Structure (?)
> CWE-78:Failure to Preserve OS Command Structure (A2)
> CWE-319:Cleartext Transmission of Sensitive Information (A9)
> CWE-352:Cross-Site Request Forgery (A5)
> CWE-362:Race Condition (?)
> CWE-209:Error Message Information Leak (A6)
> CWE-119:Failure to Constrain Operations within the Bounds of a Memory
> Buffer (A2)
> CWE-642:External Control of Critical State Data (A7)
> CWE-73:External Control of File Name or Path (A4)
> CWE-426:Untrusted Search Path (A4)
> CWE-94:Failure to Control Generation of Code (A3?)
> CWE-494:Download of Code Without Integrity Check (A4?)
> CWE-404:Improper Resource Shutdown or Release (?)
> CWE-665:Improper Initialization (?)
> CWE-682:Incorrect Calculation (?)
> CWE-285:Improper Access Control (A7)
> CWE-327:Use of a Broken or Risky Cryptographic Algorithm (A8)
> CWE-259:Hard-Coded Password (A7/A8?)
> CWE-732:Insecure Permission Assignment for Critical Resource (A7)
> CWE-330:Use of Insufficiently Random Values (A7?)
> CWE-250:Execution with Unnecessary Privileges (A7)
> CWE-602:Client-Side Enforcement of Server-Side Security (Could lead to A1?)
>
> Let me know what you think, and of course correct me/add to this as you
> see fit.
>
> Thanks,
>
> Dave
>
> - --
> David Rook | david.rook at realexpayments.com
> Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> |t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com
>
> 1 Lyric Square, London W6 0NB
> t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk
>
> 27 avenue de l'Opéra, 75001 Paris.
> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>
> Visit our other Realex Payments websites:
> www.airlinepayments.com
> www.sepa.ie
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
> registered in Ireland, company number 324929.
>
> This mail and any documents attached are classified as confidential and are
> intended for use by the addressee(s) only unless otherwise indicated. If
> you
> are not an intended recipient of this email, you must not use, disclose,
> copy, distribute or retain this message or any part of it. If you have
> received this email in error, please notify us immediately and delete all
> copies of this email from your computer system(s).
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Charset: iso-8859-1
>
> wj8DBQFJbR/wi7bwgPG1z30RAhFOAKC+70Sfg5JLaEjOqfBHFGW8TMbVqACffxX1
> LDhKXzcpcSMvIYKP5yajfAQ=
> =PqSL
> -----END PGP SIGNATURE-----
>  _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>



-- 
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090113/403a1b84/attachment.html 


More information about the Owasp-ireland mailing list