From the article:
Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
The report looks to be quite thorough and covers the vulnerabilites in great depth. It also discusses prevention and mitigation techniques. I am very excited to dig into the report and learn more.
Some of the Top 25 include:
Our old favorites:
- Improper Input Validation
- Improper Encoding or Escaping of Output
- Failure to Preserve SQL Query Structure
- Cross-Site Request Forgery (CSRF)
- Error Message Information Leak
And some I have not previously considered:
- Download of Code Without Integrity Check
- Use of a Broken or Risky Cryptographic Algorithm
- Use of Insufficiently Random Values
- Failure to Preserve OS Command Structure