OWASP: Unterschied zwischen den Versionen
| Zeile 26: | Zeile 26: | ||
=25 SANS= | =25 SANS= | ||
| + | The initiative was initiated by the National Security Agency with financial support from the National Cyber Security Division of DHS. It was implemented by MITRE and SANS (SysAdmin, Audit, Network, Security). | ||
| + | |||
| + | According to the information submitted, the parties were able to reach agreement on the top 25 fairly quickly. The second step would be to teach programmers how to write code that is free of the programming errors of the top 25. | ||
| + | |||
| + | The long-term goal is, | ||
| + | *Offer software buyers safer software. For this certification mechanisms are in demand. | ||
| + | *To give programmers tools to check the security aspects of the developed software. To this end, various providers of test software have announced in parallel with the announcement that their software tests code for top 25 programming errors. | ||
| + | *Training providers and developers who train programmers to provide a foundation for training that helps avoid the top 25 bugs. | ||
| + | *Provide employers or contractors with the Top 25 list as an additional reference to help them review applicants' skills. | ||
| + | |||
| + | |||
{| border="1" style="border-collapse:collapse" | {| border="1" style="border-collapse:collapse" | ||
|- | |- | ||
Version vom 11. März 2019, 07:27 Uhr
A1:2017 Injection
Z.Bsp. SQL-, OS- oder LDAP-Injection.Treten auf bei Verarbeitung von nicht vertrauenswuerdigen Daten als Teil eines Kommandos oder einer Abfrage.
A2:2017 Fehler in der Authetifizierung
Fehlerhafte Implementierung von Funktionen bei der Authentifizierung bzw. beim Session-Management.
A3:2017 Verlust der Vetraulichkeit sensibler Daten
Unzureichender Schutz von sensiblen Daten durch die Anwendung.
A4:2017 XML External Entities
Externe Entitäten innerhalb von XML-Dokumenten können bei Verwendung von alten oder schlecht konfigurierten XML Prozessoren mißbraucht werden
(Offenlegung interner Dateien oder File-Shares, Port Scans, Remote-Code-Executions, Denial-of-Service Angriffe).
A5:2017 Fehler in der Zugriffskontrolle
Fehler bei der Umsetzung oder Durchsetzung der Zugriffskontrolle authorisierter Benutzer.
A6:2017 Sicherheitsrelevante Fehlkonfiguration
Fehlkonfigurationen von Sicherheitseinstellungen, unsichere Standardkonfigurationen, etc.
A7:2017 Cross-Site Scripting (XSS)
Bei Verarbeitung nicht vertrauenswürdiger Daten durch Webserver
(Auslesen von Cookie-Informationen, Ausführen von Script Code im Browser).
A8:2017 Unsichere Deserialisierung
Serialisierung ist die Abbildung von strukturierten Daten in sequentieller Darstellungsform.
Eine unzureichend geprüfte Deserialisierung kann zum Ausführen fremder Befehle ausgenutzt werden.
A9:2017 Nutzung von Komponenten mit bekannten Schwachstellen
Verwendung unsicherer Bibliotheken, Frameworks, etc.
A10:2017 Unzureichendes Logging und Monitoring
Kein Erkennen von Angriffen.
25 SANS
The initiative was initiated by the National Security Agency with financial support from the National Cyber Security Division of DHS. It was implemented by MITRE and SANS (SysAdmin, Audit, Network, Security).
According to the information submitted, the parties were able to reach agreement on the top 25 fairly quickly. The second step would be to teach programmers how to write code that is free of the programming errors of the top 25.
The long-term goal is,
- Offer software buyers safer software. For this certification mechanisms are in demand.
- To give programmers tools to check the security aspects of the developed software. To this end, various providers of test software have announced in parallel with the announcement that their software tests code for top 25 programming errors.
- Training providers and developers who train programmers to provide a foundation for training that helps avoid the top 25 bugs.
- Provide employers or contractors with the Top 25 list as an additional reference to help them review applicants' skills.
| Rank | ID | Name |
|---|---|---|
| [1] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| [2] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| [3] | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| [4] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| [5] | CWE-306 | Missing Authentication for Critical Function |
| [6] | CWE-862 | Missing Authorization |
| [7] | CWE-798 | Use of Hard-coded Credentials |
| [8] | CWE-311 | Missing Encryption of Sensitive Data |
| [9] | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| [10] | CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| [11] | CWE-250 | Execution with Unnecessary Privileges |
| [12] | CWE-352 | Cross-Site Request Forgery (CSRF) |
| [13] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| [14] | CWE-494 | Download of Code Without Integrity Check |
| [15] | CWE-863 | Incorrect Authorization |
| [16] | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| [17] | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| [18] | CWE-676 | Use of Potentially Dangerous Function |
| [19] | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| [20] | CWE-131 | Incorrect Calculation of Buffer Size |
| [21] | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| [22] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| [23] | CWE-134 | Uncontrolled Format String |
| [24] | CWE-190 | Integer Overflow or Wraparound |
| [25] | CWE-759 | Use of a One-Way Hash without a Salt |