jwalanta's posterous

this and that from here and there..
About Me


My Other Sites
Twitter
Tags
Archive
2010 (5)
 

CWE - 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

Brief Listing of the Top 25

This is a brief listing of the Top 25 items, using the general ranking.

NOTE: 16 other weaknesses were considered for inclusion in the Top 25, but their general scores were not high enough. They are listed in the On the Cusp focus profile.

RankScoreIDName
[1]346CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
[2]330CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
[3]273CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4]261CWE-352 Cross-Site Request Forgery (CSRF)
[5]219CWE-285 Improper Access Control (Authorization)
[6]202CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7]197CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[8]194CWE-434 Unrestricted Upload of File with Dangerous Type
[9]188CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
[10]188CWE-311 Missing Encryption of Sensitive Data
[11]176CWE-798 Use of Hard-coded Credentials
[12]158CWE-805 Buffer Access with Incorrect Length Value
[13]157CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
[14]156CWE-129 Improper Validation of Array Index
[15]155CWE-754 Improper Check for Unusual or Exceptional Conditions
[16]154CWE-209 Information Exposure Through an Error Message
[17]154CWE-190 Integer Overflow or Wraparound
[18]153CWE-131 Incorrect Calculation of Buffer Size
[19]147CWE-306 Missing Authentication for Critical Function
[20]146CWE-494 Download of Code Without Integrity Check
[21]145CWE-732 Incorrect Permission Assignment for Critical Resource
[22]145CWE-770 Allocation of Resources Without Limits or Throttling
[23]142CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
[24]141CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25]138CWE-362 Race Condition

Cross-site scripting and SQL injection are the 1-2 punch of security weaknesses in 2010. Even when a software package doesn't primarily run on the web, there's a good chance that it has a web-based management interface or HTML-based output formats that allow cross-site scripting. For data-rich software applications, SQL injection is the means to steal the keys to the kingdom. The classic buffer overflow comes in third, while more complex buffer overflow variants are sprinkled in the rest of the Top 25.

via cwe.mitre.org

Watch out for these..

Filed under  //  errors   programming   top25  
Posted
 

Convert pdf files to text/html via email

Adobe PDF Conversion by Email Attachment
If the Adobe PDF file is on local media, such as a hard drive, CD-ROM, or internal server, it can be submitted as a MIME attachment to an e-mail message. All converted Adobe PDF documents will be sent back to the sender as MIME attachments. For plain text, mail the attached PDF to pdf2txt@adobe.com. For HTML, mail the attached PDF to pdf2html@adobe.com.

via http://www.adobe.com/products/acrobat/access_onlinetools.html

Filed under  //  adobe   conversion   pdf  
Posted
 

Sketchpad - Online Paint/Drawing application

Paint-like application made entirely in HTML5. Flash era coming to end?

Filed under  //  javascript    flash   html5  
Posted
 

First email from Nepal??

From: randy (Randy Bush)
To: Olivier Crepin-Leblond
Date: Tue, 28 Jun 94 02:51 PDT

Gossip from Frank Kroger email in Nepal is at the Mercantile Office System ie Mosnepal.

Kiran Gautam is the engineer type making it work kgautam@mosnepal.ernet.in

Deependra does customer service deep@mosnepal.ernet.in

Sanjib is the boss sanjib@mosnepal.ernet.in He is also one of the driving forces behind the Nepal Computer Association. Mosneapl also runs a BBS in Kathmandu for the Association.

Source: http://www.nsrc.org/db/lookup/report.php?id=890202403162:497425571&fromISO=NP

Filed under  //  email   mercantile   mos   nepal  
Posted