[Owasp-ireland] "Dangerous coding errors revealed"

davidrook david.rook at realexpayments.com
Wed Jan 14 04:01:10 EST 2009


Hi Brian,

I completely agree with what you have said. The more information we can
get in front of developers with regards to application security the
better, my only concern would be getting to a point where we are
providing so much information it becomes a bit confusing for people on
which one to follow (one, some, all of them etc).

I think a similar issue was discussed at the OWASP Eu Summit with
reference to the top ten and the White Hat Sec list.

I like the idea of the matrix, leave it with me and I will make one
available before the end of this week.

Thanks,

Dave

Brian Honan wrote:
> Dave
>
> Interesting thoughts.   
>
> My initial thinking when I saw the list was that this was a good move.  In
> particular given the people involved and the organisations they represent,
> including OWASP.
>
> My main concern is that people responsible for developing,
> implementing and
> managing code need to be made aware of the issues.  The problem though as
> most of us know is that the pressure is on developers to deliver apps to
> deadlines that in most cases do not provide enough time to ensure proper
> development practises have been followed, never mind secure coding
> practise.
>
> Therefore the more publicity and coverage any list can get has to be
> welcomed.
>
> Perhaps, following on from your thoughts it might be worthwhile for a
> matrix
> showing the commonalities across the three lists which in turn would
> highlight differences?
>
> Just my 2c - As a disclaimer to the above I am on the Board of Editors for
> the SANS NewsBites newsletter so may have a bias in favour of the work
> they
> do.
>
> Regards
>
> Brian
>
> -----Original Message-----
> From: owasp-ireland-bounces at lists.owasp.org
> [mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of davidrook
> Sent: Tuesday, January 13, 2009 2:41 PM
> To: owasp-ireland at lists.owasp.org
> Subject: [Owasp-ireland] "Dangerous coding errors revealed"
>
> Hi everyone,
>
> Sans today published its top 25 coding errors today, the full list can
> be found here: http://news.bbc.co.uk/2/hi/technology/7824939.stm
>
> Perhaps my OWASP involvement means I'm biased but do you feel that
> another list of software coding flaws is required? I quickly (so pick me
> up on errors!) marked the OWASP category I felt each Sans error falls
> under and it did leave me to ask the question of why do we need another
> list? We will now 3 main lists (again correct me if you feel I'm missing
> anything) from OWASP, White Hat Sec and Sans respectively with each
> lists content different to the others.
>
> Does this give people guidance or does it bring confusion?
>
> My quick mapping between Sans and OWASP (A1 - 10 represent the OWASP top
> 10 http://www.owasp.org/index.php/Top_10_2007) :
>
> CWE-20:Improper Input Validation (A2)
> CWE-116:Improper Encoding or Escaping of Output (A6)
> CWE-89:Failure to Preserve SQL Query Structure (A2)
> CWE-79:Failure to Preserve Web Page Structure (?)
> CWE-78:Failure to Preserve OS Command Structure (A2)
> CWE-319:Cleartext Transmission of Sensitive Information (A9)
> CWE-352:Cross-Site Request Forgery (A5)
> CWE-362:Race Condition (?)
> CWE-209:Error Message Information Leak (A6)
> CWE-119:Failure to Constrain Operations within the Bounds of a Memory
> Buffer (A2)
> CWE-642:External Control of Critical State Data (A7)
> CWE-73:External Control of File Name or Path (A4)
> CWE-426:Untrusted Search Path (A4)
> CWE-94:Failure to Control Generation of Code (A3?)
> CWE-494:Download of Code Without Integrity Check (A4?)
> CWE-404:Improper Resource Shutdown or Release (?)
> CWE-665:Improper Initialization (?)
> CWE-682:Incorrect Calculation (?)
> CWE-285:Improper Access Control (A7)
> CWE-327:Use of a Broken or Risky Cryptographic Algorithm (A8)
> CWE-259:Hard-Coded Password (A7/A8?)
> CWE-732:Insecure Permission Assignment for Critical Resource (A7)
> CWE-330:Use of Insufficiently Random Values (A7?)
> CWE-250:Execution with Unnecessary Privileges (A7)
> CWE-602:Client-Side Enforcement of Server-Side Security (Could lead to
> A1?)
>
> Let me know what you think, and of course correct me/add to this as you
> see fit.
>
> Thanks,
>
> Dave
>

-- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
|t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com

1 Lyric Square, London W6 0NB
t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk

27 avenue de l'Opéra, 75001 Paris.
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51

Visit our other Realex Payments websites:
www.airlinepayments.com
www.sepa.ie

Pay and Shop Limited, trading as Realex Payments has its registered
office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland
and is registered in Ireland, company number 324929.

This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer
system(s).



More information about the Owasp-ireland mailing list