Techly NewsGet the app

Get the latest tech news

Bad software keeps cyber security companies in business


Despite countless frameworks, best practices, blog posts… so many developers still hardcode credentials into their code.

cwe_idnamecountCWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)6006CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)2644CWE-352Cross-Site Request Forgery (CSRF)1615CWE-787Out-of-bounds Write1491CWE-862Missing Authorization1091CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)1028CWE-416Use After Free1013CWE-125Out-of-bounds Read902CWE-121Stack-based Buffer Overflow857CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)845CWE-200Exposure of Sensitive Information to an Unauthorized Actor775CWE-20Improper Input Validation768CWE-434Unrestricted Upload of File with Dangerous Type719CWE-284Improper Access Control660CWE-120Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)615CWE-476NULL Pointer Dereference584CWE-94Improper Control of Generation of Code (‘Code Injection’)569CWE-269Improper Privilege Management499CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)494CWE-400Uncontrolled Resource Consumption441CWE-122Heap-based Buffer Overflow426CWE-918Server-Side Request Forgery (SSRF)408CWE-287Improper Authentication405CWE-502Deserialization of Untrusted Data384CWE-190Integer Overflow or Wraparound312CWE-863Incorrect Authorization297CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer283CWE-639Authorization Bypass Through User-Controlled Key250CWE-532Insertion of Sensitive Information into Log File247CWE-798Use of Hard-coded Credentials213CWE-306Missing Authentication for Critical Function208CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)205CWE-427Uncontrolled Search Path Element198CWE-770Allocation of Resources Without Limits or Throttling184CWE-276Incorrect Default Permissions174CWE-401Missing Release of Memory after Effective Lifetime165CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)153CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)148CWE-732Incorrect Permission Assignment for Critical Resource135CWE-59Improper Link Resolution Before File Access (‘Link Following’)133There are some basic software development errors listed here. The top two entries, XSS (Cross-Site Scripting) (CWE-79) and SQL injection (CWE-89), are fundamental to web application security and are always covered as part of basic development best practices. The main takeaway from the above table is that this happens to big and small vendors alike (see CISCO and IBM), and also more-often in firmware (which is often harder to mitigate the issue of leaked credentials in).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Business

Business

Photo of bad software

bad software

Related news:

News photo

There is mounting evidence that starting a business reduces stress

News photo

Beyond the Hype: Building AI that Means Business

News photo

LinkedIn Co-Founder Reid Hoffman Thinks Kamala Harris Is Better for Business

« Inside the Massive Crime Industry That's Hacking Billion-Dollar Companies
Grindr Illegally Used RTO to Thwart Union, Forced Out 1/2 of Staff, NLRB Alleges »