- 浏览: 152823 次
文章分类
最新评论
-
飘零雪:
[b][/b][i][/i][u][/u]引用
自定义Mave archetype的创建 -
fujohnwang:
<div class="quote_title ...
基于iBatis的开源分布式数据访问层 -
gzenzen:
<pre name="code" c ...
基于iBatis的开源分布式数据访问层 -
fujohnwang:
bornwan 写道我就很想知道分布式数据源,水平切分之后排序 ...
基于iBatis的开源分布式数据访问层 -
fujohnwang:
gzenzen 写道什么时候支持mybatis3、spring ...
基于iBatis的开源分布式数据访问层
我只是专贴一下,出处可以参考http://cwe.mitre.org/top25/#Brief
希望大家在工作过程中都能够注意这些细节,质量体现于这些细节,打造高质量的软件产品,这些可是基石哦,呵呵
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site also contains data on more than 700 additional programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.
The main goal for the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The Top 25 is organized into three high-level categories that contain multiple CWE entries.
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
- CWE-20: Improper Input Validation
- CWE-116: Improper Encoding or Escaping of Output
- CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
- CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
- CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
- CWE-319: Cleartext Transmission of Sensitive Information
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-362: Race Condition
- CWE-209: Error Message Information Leak
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
- CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
- CWE-642: External Control of Critical State Data
- CWE-73: External Control of File Name or Path
- CWE-426: Untrusted Search Path
- CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
- CWE-494: Download of Code Without Integrity Check
- CWE-404: Improper Resource Shutdown or Release
- CWE-665: Improper Initialization
- CWE-682: Incorrect Calculation
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
- CWE-285: Improper Access Control (Authorization)
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-259: Hard-Coded Password
- CWE-732: Insecure Permission Assignment for Critical Resource
- CWE-330: Use of Insufficiently Random Values
- CWE-250: Execution with Unnecessary Privileges
- CWE-602: Client-Side Enforcement of Server-Side Security
发表评论
-
基于iBatis的开源分布式数据访问层
2011-03-28 11:46 5467http://code.alibabatech.com/wik ... -
分布式数据访问与同步场景浅析
2010-09-06 19:50 2185分布式数据访 ... -
Netty Framework Tips And Gotchas
2010-08-11 18:01 2621王福强(Darren.W ... -
有关Maven编译DeprecatedAPI失败的问题
2010-08-02 10:59 4434在项目代码里用了sun.misc.Signal ... -
Java Daemon Control
2010-07-27 17:50 2860Java Daemon Control ... -
Event Driven Style API Design Instead of Old Procedure Style Ones
2010-07-12 19:53 1434王福强(Darren.Wang) <f ... -
HA狭义与广义论
2010-07-09 09:25 1425Author: Darren Wang(fujohnwang) ... -
Why We Need A Global ID Generator?!
2010-05-18 13:01 1584Table of Contents 1. Pai ... -
Gotchas With JUnit's Execution Model
2010-03-26 09:22 999Maybe you have known it before, ... -
Transaction Management Patterns In Brief
2010-02-09 10:27 1723There are several patte ... -
"扩展Spring的依赖注入行为"两例
2009-12-26 12:59 2683扩展Spring的依赖注入行为两例 ... -
框架API设计相关的碎言
2009-11-17 09:32 1544框架的API设计,应该是 ... -
自定义Mave archetype的创建
2009-10-29 20:12 12275Table of Contents ... -
看来有人已经有要抢先推出这个节目的意思了
2009-10-27 19:29 970这篇blog对java, clojure和scala中的并发处 ... -
Roma Documentation Outline
2009-10-27 17:35 150Roma Docume ... -
Hot Stuff - Lombok
2009-10-22 19:46 978give it a try, it's really cool ... -
ROMA框架潜在改进点思考(Thinking in ROMA improvements)
2009-10-21 19:53 1931. 关于ROMA现有表单 ... -
Valang Validator under the hood
2009-10-19 13:29 1614Table of Contents 1. Va ... -
ThreadSafety, Non-ThreadSafety 与 Stateless, Stateful有必然的对应关系吗?
2009-10-09 09:11 1816“It depends. ” 我们 ... -
A Big Piture On Concurrency
2009-09-12 09:49 11963- Concurrency Share (Concur ...
相关推荐
2011年cwe与sans的top25威胁翻译.docx2011年cwe与sans的top25威胁翻译.docx2011年cwe与sans的top25威胁翻译.docx2011年cwe与sans的top25威胁翻译.docx2011年cwe与sans的top25威胁翻译.docx2011年cwe与sans的top25...
CWE_SANS评出25种最危险的编程错误.doc
包括简介,危害,解决方法,不用怕被查,都是我自己从他们的网站自己翻译的
CWE/SANS 前 25 名最危险的软件错误 但是等等,还有更多... ####AppSec 知识 - 了解漏洞#### 标题 关联 网络前 10 名 移动前 10 名 云前 10 名 主动控制前 10 名 备忘单 构建安全 Web 应用程序和 Web 服务...
CWE/SANS发布2010年25个最危险的编程错误 Google将不再支持老式浏览器 SOA设计关乎契约还是服务实现? Chrome中5大安全增强 Amazon EC2因订购过多而导致内部网络延迟? 全景透视Oracle对Sun的未来规划 ...
安装可通过Node.js工具执行如果您具有Node.js环境,则可以使用cwe-tool调用cwe-tool tool,如下所示: npx cwe-tool [...command-line options...]码头工人从Docker Hub提取图像docker pull lirantal/cwe-tooldocker...
CWE(Common Weakness Enumeration) 2023最新版本
SANS AUD 507,SANS AUD 507,SANS AUD 507,SANS AUD 507,SANS AUD 507,
cwe_latest 2021 common weakness enumeration.pdf
信息安全_数据安全_cwe_checker:Hunting Binary Code 安全可信 安全设计 数字取证 云安全 安全风险
cwe_checker 注意:最近,我们将默认分析后端从BAP更改为较新的Ghidra后端。 该开关会在命令行界面和docker映像界面中引起一些更改。 请确保相应地更新脚本! 或者,稳定版本仍使用旧界面。什么是cwe_checker? cwe_...
cwe-sdk 符合MITER / CAPEC的通用弱点枚举(CWE)Node.js SDK 安装 yarn add cwe-sdk 用法 需要CweManager类并使用其方法 const { CweManager } = require ( 'cwe-sdk' ) 例子 const { CweManager } = require ( '...
CWE Checker通常会扫描二进制文件,查找与CWE中描述的已知软件弱点相关的迹象。它可以帮助开发人员发现潜在的安全问题,并提供建议或建议修复方案,以改进软件的安全性。 项目地址: ...
cwe900ssjb.zip
该扩展为Common Weakness Enumeration(CWE)数据库提供快速搜索功能。 该扩展为Common Weakness Enumeration(CWE)数据库提供快速搜索功能。使用这个扩展名,Portcullis测试团队能够使用正则表达式和/或关键词来...
CVE-CWE概念与理解介绍。什么是CVE?什么是CWE?他们之间的关联与评分标准。
此扩展为常见的弱点枚举(CWE)数据库提供快速搜索功能。 此扩展为常见的弱点枚举(CWE)数据库提供快速搜索功能。 使用此扩展,Portcullis测试团队能够使用正则表达式和/或密钥字来搜索完整的CWE字典,以快速识别最...
CWE476
Victoria-2-Cold-War-Enhancement-Mod-CWE:CWE将Victoria 2带入冷战时代及以后。 这是最终的冷战mod,具有一系列特殊功能,例如意识形态集团,充满活力的国际机构和非殖民化链条,可以准确地模拟冷战和冷战后的世界...