Mir sind zufällig zwei Links sehr zeitnah in die Hände gefallen: die Top 25 Programmierfehler und die Top 25 Ausreden der Programmierer. Da lag es irgendwie nahe, aus diesen beiden Tabellen eine gemeinsame zu machen 😉
| Rank | Score | ID | Name | Excuse |
|---|---|---|---|---|
| [1] | 346 | CWE-79 | Failure to Preserve Web Page Structure (‚Cross-site Scripting‘) | Of course, I just have to do these small fixes. |
| [2] | 330 | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command (‚SQL Injection‘) | It will be done in no time at all. |
| [3] | 273 | CWE-120 | Buffer Copy without Checking Size of Input (‚Classic Buffer Overflow‘) | Didn’t I fix it already? |
| [4] | 261 | CWE-352 | Cross-Site Request Forgery (CSRF) | How is this possible? |
| [5] | 219 | CWE-285 | Improper Access Control (Authorization) | Well, the program needs some fixing. |
| [6] | 202 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | It’s already there, but it has not been tested. |
| [7] | 197 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‚Path Traversal‘) | I’m almost ready. |
| [8] | 194 | CWE-434 | Unrestricted Upload of File with Dangerous Type | The user has made an error again. |
| [9] | 188 | CWE-78 | Improper Sanitization of Special Elements used in an OS Command (‚OS Command Injection‘) | There is something wrong in your test data. |
| [10] | 188 | CWE-311 | Missing Encryption of Sensitive Data | Yes yes, it will be ready in time. |
| [11] | 176 | CWE-798 | Use of Hard-coded Credentials | You must have the wrong executable. |
| [12] | 158 | CWE-805 | Buffer Access with Incorrect Length Value | I can’t test everything! |
| [13] | 157 | CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program (‚PHP File Inclusion‘) | I have not touched that module! |
| [14] | 156 | CWE-129 | Improper Validation of Array Index | I’ve never heard about that. |
| [15] | 155 | CWE-754 | Improper Check for Unusual or Exceptional Conditions | It did work yesterday. |
| [16] | 154 | CWE-209 | Information Exposure Through an Error Message | Strange… |
| [17] | 154 | CWE-190 | Integer Overflow or Wraparound | The machine seems to be broken. |
| [18] | 153 | CWE-131 | Incorrect Calculation of Buffer Size | Somebody must have changed my code. |
| [19] | 147 | CWE-306 | Missing Authentication for Critical Function | It works, but it’s not been tested. |
| [20] | 146 | CWE-494 | Download of Code Without Integrity Check | There must be a virus in the application software. |
| [21] | 145 | CWE-732 | Incorrect Permission Assignment for Critical Resource | Has the operating system been updated? |
| [22] | 145 | CWE-770 | Allocation of Resources Without Limits or Throttling | Even though it does not work, how does it feel? |
| [23] | 142 | CWE-601 | URL Redirection to Untrusted Site (‚Open Redirect‘) | THIS can’t do THAT. |
| [24] | 141 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Oh, it’s just a feature. |
| [25] | 138 | CWE-362 | Race Condition | It’s just some unlucky coincidense. |
Und meine Vorhersage für 2010, 2011 und 2012: das wird sich nicht bessern!
Kommentare gesperrt wegen Spam
Comment by Christian — 1. März 2010 @ 21:52