Top 25 most dangerous programming errors

The paper “Top 25 Most Dangerous Programming Errors” (http://cwe.mitre.org/top25) is an interesting study of the families of programming errors that lead to security issues. The paper is based on input from a wide variety of security experts and is worth reading. The complete list of errors is at http://cwe.mitre.org/data/lists/699.html.

From a T-SQL perspective, however, it seems off mark but the same group has a database of all the common weaknesses. Here is a list of Common SQL specific errors I was able to extract:

· Access Control Bypass Through User-Controlled SQL Primary Key (http://cwe.mitre.org/data/definitions/566.html).

· Individual Definition in a New Window Dangling Database Cursor (aka 'Cursor Injection') (http://cwe.mitre.org/data/definitions/619.html).

· Failure to Preserve SQL Query Structure (aka 'SQL Injection') (http://cwe.mitre.org/data/definitions/89.html).

· Failure to Sanitize Data within XQuery Expressions (aka 'XQuery Injection') (http://cwe.mitre.org/data/definitions/652.html).

· SQL Injection: Hibernate (http://cwe.mitre.org/data/definitions/564.html).

There are many errors that apply to SQL and other languages. Here is a list that I thought was most relevant to SQL development:

· Algorithmic Complexity (http://cwe.mitre.org/data/definitions/407.html).

· Authentication Bypass by Alternate Name (http://cwe.mitre.org/data/definitions/289.html).

· Client-Side Enforcement of Server-Side Security (http://cwe.mitre.org/data/definitions/602.html).

· Discrepancy Information Leaks (http://cwe.mitre.org/data/definitions/203.html).

· Error Handling (http://cwe.mitre.org/data/definitions/388.html).

· Error Message Information Leak (http://cwe.mitre.org/data/definitions/209.html).

· Failure to Encrypt Sensitive Data (http://cwe.mitre.org/data/definitions/311.html).

· Failure to Handle Missing Value (http://cwe.mitre.org/data/definitions/230.html).

· Improper Access Control (Authorization) (http://cwe.mitre.org/data/definitions/285.html).

· Incorrect Ownership Assignment (http://cwe.mitre.org/data/definitions/708.html).

· Incorrect Privilege Assignment (http://cwe.mitre.org/data/definitions/266.html).

· Leftover Debug Code (http://cwe.mitre.org/data/definitions/489.html).

· Not Using Password Aging (http://cwe.mitre.org/data/definitions/262.html).

· Privacy Leak through Data Queries (http://cwe.mitre.org/data/definitions/202.html).

· Unchecked Input for Loop Condition (http://cwe.mitre.org/data/definitions/606.html).

· Use of Obsolete Functions (http://cwe.mitre.org/data/definitions/477.html).