Security - Baseline

Home

Security

25 Most Dangerous Programming Errors

By Edward Cone on 2010-02-24

The 2010 CWE/SANS list of most-dangerous programming errors ranks "widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all." See also: How to Stop SQL Injections.

1. Failure to Preserve Web Page Structure ('Cross-site Scripting')

25 Most Dangerous Programming Errors - Security

2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')

3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4. Cross-Site Request Forgery (CSRF)

5. Improper Access Control (Authorization)

6. Reliance on Untrusted Inputs in a Security Decision

7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8. Unrestricted Upload of File with Dangerous Type

9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')

10. Missing Encryption of Sensitive Data

11. Use of Hard-coded Credentials

12. Buffer Access with Incorrect Length Value

13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

14. Improper Validation of Array Index

15. Improper Check for Unusual or Exceptional Conditions

16. Information Exposure Through an Error Message

17. Integer Overflow or Wraparound

18. Incorrect Calculation of Buffer Size

19. Missing Authentication for Critical Function

20. Download of Code Without Integrity Check

21. Incorrect Permission Assignment for Critical Resource

22. Allocation of Resources Without Limits or Throttling

23. URL Redirection to Untrusted Site ('Open Redirect')

24. Use of a Broken or Risky Cryptographic Algorithm

25. Race Condition

Recent Slideshows

See All Slideshows

	LATEST STORIES
	- Five Ways to Put Mobile Technology to Work - Ten iPhone Apps that Will Save You Money - Mobility Transforms the Customer Relationshi... - BPM Keeps Pace With Business Changes - Speech Recognition Speaks To Businesses

Baseline Newsletters

FEATURED SPONSORED ARTICLES

Erasable E-Paper Saves Trees, Cuts Costs

Why Smart Companies Should Adopt the Lessons of Gaming

Interest in Mobile WiFi Hotspots Fuels New Solutions

A Closer Look at Public Cloud Security

View More Articles

Brought to You By

FEATURED SPONSORED VIDEOS

Security and Availability Essentials for Running Your Business in the Cloud

Cyber Security Trends and Challenges for 2012

IPv6 Integration and Migration

View More Videos

Brought to You By


		Get up and running in as quickly as 30 days with BI. Learn how today. FREE Securing Smartphones & Tablets for Dummies Book from Sophos 5 New Technologies That Will Change Enterprise IT Build an IT Infrastructure That Delivers the Future

Baseline:	Issue Index \| Contact Us \| About \| Magazine Customer Service \| Navigation Guide
Quick Links:	Project Planners \| Enterprise Resource Planning \| Network and Online Security \| Data Analysis \| Process Management \| Storage Devices\| Link to Us

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| TechDirect \| Technology White Papers \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.

Baseline:	Issue Index \| Contact Us \| About \| Magazine Customer Service \| Navigation Guide
Quick Links:	Project Planners \| Enterprise Resource Planning \| Network and Online Security \| Data Analysis \| Process Management \| Storage Devices\| Link to Us

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| TechDirect \| Technology White Papers \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.