OWASP - User contributions [en]

User talk:Rba

2009-04-30T17:51:12Z

Rba:

== Starting Out ==

I have created my page and made my first contribution - an update to the [[Source Code Flaws Top 10 Project]]!

User:Rba

2009-04-30T17:50:48Z

Rba:

I'm Brad Andrews, a creative thinker who is interested in far too many things. My background is in computer science and software development, but I came over to the information security area several years ago. My software development background and focus on information security makes me very interested in the work of OWASP and a good fit for the work here.

I currently work at a large company on a team focused on security and compliance.

I blog my security thoughts at [http://bradonsecurity.blogspot.com Brad on Security]

User talk:Rba

2009-04-30T17:50:26Z

Rba: Getting in the Pool

== Starting Out ==

I have created my page and made my first contribution (an update to the [[Source Code Flaws Top 10 Project]]!

User:Rba

2009-04-30T17:49:01Z

Rba: Details About Brad Andrews

I'm Brad Andrews, a creative thinker who is interested in far too many things. My background is in computer science and software development, but I came over to the information security area several years ago. My software development background and focus on information security makes me very interested in the work of OWASP and a good fit for the work here.

I currently work at a large company on a team focused on security and compliance.

I blog my security thoughts at [[http://bradonsecurity.blogspot.com Brad on Security]]

User talk:Rba

2009-04-30T17:48:08Z

Rba: Details About Brad Andrews

I'm Brad Andrews, a creative thinker who is interested in far too many things. My background is in computer science and software development, but I came over to the information security area several years ago. My software development background and focus on information security makes me very interested in the work of OWASP and a good fit for the work here.

I currently work at a large company on a team focused on security and compliance.

I blog my security thoughts at [[http://bradonsecurity.blogspot.com Brad on Security]]

Talk:OWASP Source Code Flaws Top 10 Project Index

2009-04-30T17:11:36Z

Rba: New page: == Rewrote the Language == I rewrote some of the language in the descriptions. This makes it sound better to me at least and it should get the point across better.

== Rewrote the Language ==

I rewrote some of the language in the descriptions. This makes it sound better to me at least and it should get the point across better.

Project Information:template Source Code Flaws Top 10 Project

2009-04-30T17:04:09Z

Rba:

{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Source Code Flaws Top 10 Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
This project is about giving a taxonomy to describe the categories of the most dangerous security flaws you can find during a code review. For dynamic code review (web based application ethical hacking) the original Owasp Top 10 is the must have over each desk, in order to manage all the findings during the reporting phase. With the Source code flaws Top 10, you will have the same document but focused to source code.

I started from venerable Gary McGraw work about the "seven kingdoms" trying to extend it to match the Top 10 schema and to include some ideas that came out to me during code reviews or static analysis.

This project delivery will be a document very similar as outline to Owasp Top 10 most critical vulnerabilities in web applications. This taxonomy will be used in official Owasp Guide for static analysis, the Code review guide leaded by Eoin Keary and it will be used as cookbook list for Owasp Orizon static analysis engine default library.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
| style="width:12%; background:#cccccc" align="center"|Licensed under [http://creativecommons.org/licenses/by-sa/3.0/:Creative Commons Attribution ShareAlike 3.0 license]
| style="width:12%; background:#cccccc" align="center"|Project Leader [[User:Thesp0nge|'''Paolo Perego''']]
| style="width:12%; background:#cccccc" align="center"|Project Contributors [[User:Rba|'''Brad Andrews''']]
| style="width:12%; background:#cccccc" align="center"|Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-source-code-flaws-top-10 '''Subscribe here'''] [mailto:owasp-source-code-flaws-top-10(at)lists.owasp.org '''Use here''']
| style="width:12%; background:#cccccc" align="center"|First Reviewer [[User:name|'''Name''']]
| style="width:12%; background:#cccccc" align="center"|Second Reviewer [[User:name|'''Name''']]
| style="width:12%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [[User:name|'''Name''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:OWASP Source Code Flaws Top 10 Project Index|'''Source Code Flaws Top 10 Index''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] 
* [[:Category:OWASP Code Review_Project|OWASP Code Review Project]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|No sponsors yet, drop [mailto:thesp0nge@owasp.org|'''me'''] a line if you want to be the first
| style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Source Code Flaws Top 10 Project Roadmap|'''Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''First Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Source Code Flaws Top 10 Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Source Code Flaws Top 10 Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Source Code Flaws Top 10 Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Source Code Flaws Top 10 Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
|-
|}

OWASP Source Code Flaws Top 10 Project Index

2009-04-30T16:45:46Z

Rba: /* The OWASP Source Code Flaws Top 10 */

= The OWASP Source Code Flaws Top 10 =

{| border='1' cellpadding='2'
|-
|[[Source_Code_Flaws_Top_10_2009-C1|C1 - Design Weakness]]
|A design weakness occurs when the logic used to create the application did not addressed a threat modeling activity so it may be easy for an attacker to subvert your application behavior. Design also covers an objects scope and visibility, so extra care must be taken to limit what your program expose to others.
|-

|[[Source_Code_Flaws_Top_10_2009-C2|C2 - Architectural Weakness]]
|Your application depends on many auxiliary system when it runs. It does not stand on its own. An architectural weakness occurs when your code interacts in a unsafe way with auxiliary systems.
|-

|[[Source_Code_Flaws_Top_10_2009-C3|C3 - Missing input validation]]
|Any input to a program must be processed through filtering and validation functions to ensure that is what is expected and to reduce the risk of malicious data. Using incoming data that is not sanitized can lead to very dangerous runtime vulnerabilities such as cross Site scripting, injection flaws, and others.
|-

|[[Source_Code_Flaws_Top_10_2009-C4|C4 - Insecure communications]]
|Web applications use the TCP/IP stack to communicate to the world. An insecure communication vulnerability in the source code concerns how the operating system provided abstraction layer (sockets, ...) and communication layer provided by the framework (java sockets, ...) are used. This covers more than just checking about SSL usage, it is concerned with how the communication code is written.
|-

|[[Source_Code_Flaws_Top_10_2009-C5|C5 - Information leakage and improper error handling]]
|This is the same as the one listed in the original Top 10, just from a source code point of view. Missing exception handling or a too verbose logging string, for example, would be included in this flaw category.
|-

|[[Source_Code_Flaws_Top_10_2009-C6|C6 - Direct object reference]]
| This is the same as the one listed in the original Top 10, just from a source code point of view.
|-

|[[Source_Code_Flaws_Top_10_2009-C7|C7 - Misuse of local resources]]
|Operating system resources like memory, disk space and CPU time can often seem unlimited, but they are not. A program should effectively manage these resources. Poorly designed local resource utilization, can cause an application to have poor response time. It can also make it vulnerable to a denial of service by an attacker that causes the program to consume one or more type of these resources.
|-

|[[Source_Code_Flaws_Top_10_2009-C8|C8 - Usage of potentially dangerous APIs]]
|Frameworks and libraries evolve to solve security issues. Often they leave backward compatibility routines to give developers time to change their code. Developers frequently forget to transition their code to the new interface, leaving calls to the potentially dangerous APIs even if they have been deprecated. All such potentially dangerous routine calls fit this category.
|-

|[[Source_Code_Flaws_Top_10_2009-C9|C9 - Documentation weakness]]
|Source code must be well documented to make it maintainable. Poor comments can make code hard to understand in the future, even after a short time. It is easy to introduce security flaws or other bugs if the logic is not clear or even misunderstood. Comments in the code must document anything needed to fully understand how the code works.
|-

|[[Source_Code_Flaws_Top_10_2009-C10|C10 - Best practices violation]]
|This category includes all generic best practices in source code development that are violated by the code. Anything missing from the previous categories would be covered by this category.
|}
'''<center>Table 1: Top 10 Source code flaws for 2009</center>'''

OWASP Source Code Flaws Top 10 Project Index

2009-04-30T16:45:12Z

Rba: /* The OWASP Source Code Flaws Top 10 */

= The OWASP Source Code Flaws Top 10 =

{| border='1' cellpadding='2'
|-
|[[Source_Code_Flaws_Top_10_2009-C1|C1 - Design Weakness]]
|A design weakness occurs when the logic used to create the application did not addressed a threat modeling activity so it may be easy for an attacker to subvert your application behavior. Design also covers an objects scope and visibility, so extra care must be taken to limit what your program expose to others.
|-

|[[Source_Code_Flaws_Top_10_2009-C2|C2 - Architectural Weakness]]
|Your application depends on many auxiliary system when it runs. It does not stand on its own. An architectural weakness occurs when your code interacts in a unsafe way with auxiliary systems.
|-

|[[Source_Code_Flaws_Top_10_2009-C3|C3 - Missing input validation]]
|Any input to a program must be processed through filtering and validation functions to ensure that is what is expected and to reduce the risk of malicious data. Using incoming data that is not sanitized can lead to very dangerous runtime vulnerabilities such as cross Site scripting, injection flaws, and others.
|-

|[[Source_Code_Flaws_Top_10_2009-C4|C4 - Insecure communications]]
|Web applications use the TCP/IP stack to communicate to the world. An insecure communication vulnerability in the source code concerns how the operating system provided abstraction layer (sockets, ...) and communication layer provided by the framework (java sockets, ...) are used. This covers more than just checking about SSL usage, it is concerned with how the communication code is written.
|-

|[[Source_Code_Flaws_Top_10_2009-C5|C5 - Information leakage and improper error handling]]
|This is the same as the one listed in the original Top 10, just from a source code point of view. Missing exception handling or a too verbose logging string, for example, would be included in this flaw category.
|-

|[[Source_Code_Flaws_Top_10_2009-C6|C6 - Direct object reference]]
| This is the same as the one listed in the original Top 10, just from a source code point of view.
|-

|[[Source_Code_Flaws_Top_10_2009-C7|C7 - Misuse of local resources]]
|Operating system resources like memory, disk space and CPU time can often seem unlimited, but they are not. A program should effectively manage these resources. Poorly designed local resource utilization, can cause an application to have poor response time. It can also make it vulnerable to a denial of service by an attacker that causes the program to consume one or more type of these resources.
|-

|[[Source_Code_Flaws_Top_10_2009-C8|C8 - Usage of potentially dangerous APIs]]
|Frameworks and libraries evolve to solve security issues. Often they leave backward compatibility routines to give developers time to change their code. Developers frequently forget to transition their code to the new interface, leaving calls to the potentially dangerous APIs even if they have been deprecated. All such potentially dangerous routine calls fit this category.
|-

|[[Source_Code_Flaws_Top_10_2009-C9|C9 - Documentation weakness]]
|Source code must be well documented to make it maintainable. Poor comments can make code hard to understand in the future, even after a short time. It is easy to introduce security flaws or other bugs if the logic is not clear or even misunderstood. Comments in the code must document anything needed to fully understand how the code works.
|-

|[[Source_Code_Flaws_Top_10_2009-C10|C10 - Best practices violation]]
|This category includes all generic best practices in source code development that are violated by the code. Anything missing from the previous categories would fall in this category.
|}
'''<center>Table 1: Top 10 Source code flaws for 2009</center>'''