美國國土安全部與 Mitre Corp. 週一(6/27)公布最新版本的「最常見的25個軟體錯誤」,這是從該單位與專家、學者一起維護的共通弱點條目(Common Weakness Enumeration, CWE)中,實際在超過20個組織內,使用共通弱點評估系統(Common Weakness Scoring System, CWSS)測試,然後依照分數挑選出的前25名。

Mitre維護的共通弱點條目在一開始(2008年)有734條,至今已增添136條,列出這25項主要在強調其風險的嚴重性,涵蓋元件間危險的互動、風險資源管理及多方面防禦等層面。他們希望政府單位及私人企業在購買或建構資訊系統時,可以將該表列入審核項目,或者使用其評估系統測試期安全性。

今年名列第一的風險是SQL Injection,較去年提昇一個名次。位居第二的是允許透過Web介面下達系統指令,其他主要風險為緩衝溢出、XSS跨網站腳本及重要功能中缺乏認證等。

除了列出主要的系統問題之外,該單位也提供程式設計師、專案經理、測試人員、用戶等相關人員建議,從不同角度、不同階段避免系統遭受風險。(編譯/沈經)

排名 名稱(說明)
1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
3 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5 Missing Authentication for Critical Function
6 Missing Authorization
7 Use of Hard-coded Credentials
8 Missing Encryption of Sensitive Data
9 Unrestricted Upload of File with Dangerous Type
10 Reliance on Untrusted Inputs in a Security Decision
11 Execution with Unnecessary Privileges
12 Cross-Site Request Forgery (CSRF)
13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
14 Download of Code Without Integrity Check
15 Incorrect Authorization
16 Inclusion of Functionality from Untrusted Control Sphere
17 Incorrect Permission Assignment for Critical Resource
18 Use of Potentially Dangerous Function
19 Use of a Broken or Risky Cryptographic Algorithm
20 Incorrect Calculation of Buffer Size
21 Improper Restriction of Excessive Authentication Attempts
22 URL Redirection to Untrusted Site ('Open Redirect')
23 Uncontrolled Format String
24 Integer Overflow or Wraparound
25 Use of a One-Way Hash without a Salt

熱門新聞

Advertisement