- 浏览: 156911 次
文章分类
最新评论
-
飘零雪:
[b][/b][i][/i][u][/u]引用
自定义Mave archetype的创建 -
fujohnwang:
<div class="quote_title ...
基于iBatis的开源分布式数据访问层 -
gzenzen:
<pre name="code" c ...
基于iBatis的开源分布式数据访问层 -
fujohnwang:
bornwan 写道我就很想知道分布式数据源,水平切分之后排序 ...
基于iBatis的开源分布式数据访问层 -
fujohnwang:
gzenzen 写道什么时候支持mybatis3、spring ...
基于iBatis的开源分布式数据访问层
我只是专贴一下,出处可以参考http://cwe.mitre.org/top25/#Brief
希望大家在工作过程中都能够注意这些细节,质量体现于这些细节,打造高质量的软件产品,这些可是基石哦,呵呵
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site also contains data on more than 700 additional programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.
The main goal for the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The Top 25 is organized into three high-level categories that contain multiple CWE entries.
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
- CWE-20: Improper Input Validation
- CWE-116: Improper Encoding or Escaping of Output
- CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
- CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
- CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
- CWE-319: Cleartext Transmission of Sensitive Information
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-362: Race Condition
- CWE-209: Error Message Information Leak
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
- CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
- CWE-642: External Control of Critical State Data
- CWE-73: External Control of File Name or Path
- CWE-426: Untrusted Search Path
- CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
- CWE-494: Download of Code Without Integrity Check
- CWE-404: Improper Resource Shutdown or Release
- CWE-665: Improper Initialization
- CWE-682: Incorrect Calculation
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
- CWE-285: Improper Access Control (Authorization)
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-259: Hard-Coded Password
- CWE-732: Insecure Permission Assignment for Critical Resource
- CWE-330: Use of Insufficiently Random Values
- CWE-250: Execution with Unnecessary Privileges
- CWE-602: Client-Side Enforcement of Server-Side Security
发表评论
-
基于iBatis的开源分布式数据访问层
2011-03-28 11:46 5539http://code.alibabatech.com/wik ... -
分布式数据访问与同步场景浅析
2010-09-06 19:50 2241分布式数据访 ... -
Netty Framework Tips And Gotchas
2010-08-11 18:01 2666王福强(Darren.W ... -
有关Maven编译DeprecatedAPI失败的问题
2010-08-02 10:59 4473在项目代码里用了sun.misc.Signal ... -
Java Daemon Control
2010-07-27 17:50 2909Java Daemon Control ... -
Event Driven Style API Design Instead of Old Procedure Style Ones
2010-07-12 19:53 1475王福强(Darren.Wang) <f ... -
HA狭义与广义论
2010-07-09 09:25 1466Author: Darren Wang(fujohnwang) ... -
Why We Need A Global ID Generator?!
2010-05-18 13:01 1628Table of Contents 1. Pai ... -
Gotchas With JUnit's Execution Model
2010-03-26 09:22 1055Maybe you have known it before, ... -
Transaction Management Patterns In Brief
2010-02-09 10:27 1763There are several patte ... -
"扩展Spring的依赖注入行为"两例
2009-12-26 12:59 2732扩展Spring的依赖注入行为两例 ... -
框架API设计相关的碎言
2009-11-17 09:32 1614框架的API设计,应该是 ... -
自定义Mave archetype的创建
2009-10-29 20:12 12360Table of Contents ... -
看来有人已经有要抢先推出这个节目的意思了
2009-10-27 19:29 1019这篇blog对java, clojure和scala中的并发处 ... -
Roma Documentation Outline
2009-10-27 17:35 150Roma Docume ... -
Hot Stuff - Lombok
2009-10-22 19:46 1028give it a try, it's really cool ... -
ROMA框架潜在改进点思考(Thinking in ROMA improvements)
2009-10-21 19:53 1931. 关于ROMA现有表单 ... -
Valang Validator under the hood
2009-10-19 13:29 1659Table of Contents 1. Va ... -
ThreadSafety, Non-ThreadSafety 与 Stateless, Stateful有必然的对应关系吗?
2009-10-09 09:11 1862“It depends. ” 我们 ... -
A Big Piture On Concurrency
2009-09-12 09:49 12433- Concurrency Share (Concur ...
相关推荐
2009年,由SANS研究所、MITRE以及来自美国和欧洲的顶尖软件安全专家合作编制了一份名为“Top 25 Most Dangerous Programming Errors”的报告。该报告旨在通过教育程序员来预防这些错误,并帮助软件消费者了解如何...
【2011年CWE/SANS Top 25威胁翻译】文档主要聚焦于软件开发中最常见且最具破坏性的25个错误。这些错误可能导致严重的软件漏洞,使攻击者能够完全控制软件,窃取敏感数据,或者干扰软件的正常运行。这份列表旨在教育...
包括简介,危害,解决方法,不用怕被查,都是我自己从他们的网站自己翻译的
文档"CWE_SANS评出25种最危险的编程错误.doc"主要聚焦于软件开发中的常见且危险的安全问题。CWE(Common Weakness Enumeration)是由MITRE组织维护的一个公开的、标准化的安全弱点列表,它为软件开发人员和安全专业...
2. CWE/SANS Top 25 Issues:这些是Common Weakness Enumeration (CWE) 和 Sans Institute共同定义的25个最常见的软件弱点。报告中有5个这样的问题,这些都是可能导致安全漏洞的关键点。 3. CWE/SANS On the Cusp ...
- **安全编程指南**:遵循CWE/SANS Top 25漏洞列表避免常见编程错误。 - **代码审计技巧**:运用grep、sed、awk等工具辅助代码审查。 《Professional Linux Programming》这本书通过上述知识点为读者提供了一个全面...
在实施源代码审计时,通常参照OWASP TOP 10和CWE/SANS TOP 25等安全标准。服务遵循保密性和规范性原则,保护客户的源代码和技术文档不被泄露,同时确保服务过程和结果的合规性。 @Safetrust的源代码审计服务涵盖了...
CWE/SANS 前 25 名最危险的软件错误 但是等等,还有更多... ####AppSec 知识 - 了解漏洞#### 标题 关联 网络前 10 名 移动前 10 名 云前 10 名 主动控制前 10 名 备忘单 构建安全 Web 应用程序和 Web 服务...
2010年,CWE/SANS发布了一份榜单,列出了25个最危险的软件错误。这个榜单是基于广泛的共识和专家的经验,旨在帮助软件开发者、管理者、以及安全研究人员识别和避免那些可以导致严重软件脆弱性的常见编程错误。这些...
7. **合规性和标准**:可能会涉及行业标准和最佳实践,如OWASP Top 10、CWE/SANS Top 25等,以及如何符合ISO 27001等信息安全管理体系的要求。 8. **安全架构**:探讨如何设计和实施安全的系统架构,包括身份验证、...
这些工具通常使用预定义的规则库,称为安全编码标准,例如OWASP Top 10、CWE/SANS Top 25等。 服务技术方案通常包括以下几个关键组成部分: 1. **工具选择**:选择合适的源代码安全扫描工具至关重要。市场上有许多...
CWE(Common Weakness Enumeration)是一种标准化的努力,旨在为软件安全漏洞提供一个通用的、一致的语言,便于识别、分类和讨论这些弱点。CWE Version 4.12是2023年6月29日发布的最新版本,由美国国土安全部国家...
安装可通过Node.js工具执行如果您具有Node.js环境,则可以使用cwe-tool调用cwe-tool tool,如下所示: npx cwe-tool [...command-line options...]码头工人从Docker Hub提取图像docker pull lirantal/cwe-tooldocker...
不管是做网络安全产品研发,还是应用安全产品开发,经常需要整理OWASP TOP 10与CWE的映射关系,这个文件是OWASP TOP 2021与CWE的映射关系,花费很长时间梳理的这张映射表啊,而OWASP TOP10 从2021年发布中,开始包括...
在IT安全领域,CWE(Common Weakness Enumeration)是一个广泛使用的标准,用于识别、分类和记录软件中的常见编程错误和漏洞。这些弱点可能导致安全漏洞,让攻击者有机会利用。本项目的目标是生成CWE(Common ...
本次文档所涉及的“信息安全_数据安全_cwe_checker:Hunting Binary Code”介绍了利用cwe_checker工具在多种CPU架构上狩猎二进制代码中的漏洞,包含以下几个方面的主要知识点: 1. 安全可信与安全设计 安全可信强调...
**CWE Checker 研究与分析** CWE (Common Weakness Enumeration) Checker 是一个工具,专注于扫描二进制文件,以识别与CWE数据库中列出的已知软件弱点相关的问题。CWE是一个广泛认可的公开列表,包含了各种软件安全...
标题 "cwe900ssjb.zip" 暗示我们关注的是一个与网络安全相关的主题,特别是关于CWE-900(严重安全错误类别)的讨论。CWE(Common Weakness Enumeration)是一个广泛认可的漏洞分类系统,用于识别、记录和防止软件中...