Top 10 Vulnerabilities

Saw an interesting report out today on the top 10 vulnerabilities in Web applications. You can read more about it here. Brings up most of the points I have made with previous entries on security. As a refresher, you might recall:

1. Never trust user input. Validate everything.
   
2. Overflows suck. We have had the same stupid errors since the 1980's. When will we ever learn?
   
3. Malicious code injection has to be avoided. In SQL this can be done with stored procedures. When spawning an exec() or system() type call ensure the environment is safe, and the command is properly filtered and formating. Rule 1 is required as part of this rule.
   
4. Trap all error handling. Hell... almost every function has a return code. Check the damn thing!
   
5. Great programmer != great cryptographer. Need I say more?
   
6. Access control is only as good as the administrator that set it up. You have to know how to configure and run the system in question.
   
7. Security testing needs to be part of the test plan. I once heard an interesting comment on this. If the words "buffer overflow test" are not part of your test plan... you need a new test plan. And I agree with that.
   

What is funny is that none of these vulnerabilities are new. These are all conditions of development that have been issues for generations. The speed of development causes the quality of software, in relation to security, suffer. It is not acceptable, and we should all learn from this. So start today. Spend one hour and refactor a core piece of your code base. Even that little step can go a long way to building more reliable and secure systems.