The SANS Institute
recently published its list of the 25 most dangerous errors in programming
. The errors fall into three categories:
Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses. By and large, most of these are reflected or assumed in "Programming Secure Web Applications in Python"
. Some additions that are worth noting are:
- Use of a Broken or Risky Cryptographic Algorithm: Just because someone else relies on twenty-year old cryptography does not mean that you should.
- Client-Side Enforcement of Server-Side Security: Expect someone either to try to disassemble your application or to create their own version, minus your security checks.
- Use of Insufficiently Random Values: Anything less than 256 bits for the seed of your pseudo-random number generator (PNRG) and you are treading on thin ice.
- Hard-Coded Password: Leaving real passwords in place after proving the code is easy enough to do. Far better is to start off coding toward remote acquisition of the password, either from a separate file or another network location. This gives you control over the login information even if the program itself is cracked open.
The entire 25 are worth reading. They are, however, a challenge to keep in mind when coding. For this reason, I default to a shortlist of the most salient ones. From XSS
to avoiding injections
to bad authentication
you can find the core web security issues in the programming guide to web application security