2010 CWE/SANS Top 25 Most Dangerous Programming Errors

The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.

Here are the 25 items:

  1. Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
  2. Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
  3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  4. Cross-Site Request Forgery (CSRF)
  5. Improper Access Control (Authorization)
  6. Reliance on Untrusted Inputs in a Security Decision
  7. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  8. Unrestricted Upload of File with Dangerous Type
  9. Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
  10. Missing Encryption of Sensitive Data
  11. Use of Hard-coded Credentials
  12. Buffer Access with Incorrect Length Value
  13. Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
  14. Improper Validation of Array Index
  15. Improper Check for Unusual or Exceptional Conditions
  16. Information Exposure Through an Error Message
  17. Integer Overflow or Wraparound
  18. Incorrect Calculation of Buffer Size
  19. Missing Authentication for Critical Function
  20. Download of Code Without Integrity Check
  21. Incorrect Permission Assignment for Critical Resource
  22. Allocation of Resources Without Limits or Throttling
  23. URL Redirection to Untrusted Site (‘Open Redirect’)
  24. Use of a Broken or Risky Cryptographic Algorithm
  25. Race Condition


2010 PNSQC Call for Papers

It is that time of year again. My favorite conference, Pacific Northwest Software Quality Conference (PNSQC), has opened their call for papers. This years theme is "Achieving Quality in a Complex Environment". A new twist is that there are two calls – one for traditional papers and one for poster papers. The conference will be held October 18-20, 2010.

Look at the Call for Abstracts page for full details.


January 2010 mensming Twitter Posts

1:52 pm Jan 30th, 2010
Conenza is looking for an SDET – http://conenza.com/index.php?option=com_content&task=view&id=81&Itemid=26

8:56 PM Jan 29th, 2010
James Bach’s "Logging: Exploratory Tester¬ís Friend" – http://www.satisfice.com/blog/archives/401

5:32 PM Jan 28th, 2010
Brett Kelly’s "How to Make Today a 25-Hour Day" – http://brettkelly.org/2010/01/20/how-to-make-today-a-25-hour-day/

6:54 AM Jan 28th, 2010
"The Real Reason Outsourcing Continues To Fail" – http://www.lessonsoffailure.com/developers/real-reason-outsourcing-fails/

7:12 PM Jan 27th, 2010
Reading Joel Spolsky’s "Why testers?" – http://www.joelonsoftware.com/items/2010/01/26.html

6:03 PM Jan 27th, 2010
"Only worry once" – Phil Kaplin quoting his father on This Week in Startups #twist

10:34 AM Jan 24th, 2010
January Software Test & Performance magazine available for download (free membership required) – http://www.stpcollaborative.com/magazine

2:51 PM Jan 22nd, 2010
RT @Hexawise "Quality means that the customer keeps coming back, not the product." – Navaraj Javvaji #softwaretesting #quality

8:23 PM Jan 21st, 2010
RT @Conenza: A Conenza-hosted corporate alumni community delivers lasting financial and business benefits. http://tinyurl.com/ydcp7x4

9:39 AM Jan 18th, 2010
Five success factors for branded online communities: http://econsultancy.com/blog/5227-five-success-factors-for-branded-online-communities

5:21 PM Jan 17th, 2010
Brent Strange’s "Tips for Automation Success: Toot Your Horn" – http://bit.ly/6PSnR4

10:58 PM Jan 16th, 2010
"Quantity is rarely an indicator of quality; if it were, spammers would be the definition of email quality" – Jono Bacon

7:06 PM Jan 16th, 2010
Ops Folks – "You will lose power, so be prepared." – http://bit.ly/3o5tiP

7:55 PM Jan 11th, 2010
Programming competition based on the ACM International Collegiate Programming Competition (ICPC) available to all – http://bit.ly/6yPaYq

7:53 PM Jan 8th, 2010
Two VCs predict my old company Varolii will IPO in 2010: http://bit.ly/8eHP4J

8:46 PM Jan 5th, 2010
How to do a slideshow in XHTML: http://www.w3.org/2005/03/slideshow.html

7:20 AM Jan 4th, 2010
Why fresh eyes are important in testing: http://bit.ly/kELup – search for "The Risks of Autopilot"

4:46 PM Jan 3rd, 2010
The Y2K10 bug – Australian bank date jumps to 2016. From the Sydney Morning Herald. http://bit.ly/5aezgd

7:26 PM Jan 1st, 2010
It’s twenty-ten – not two thousand and ten. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/01/01/MN621BB41U.DTL