views:

36

answers:

2

I am looking for a book (or some other resource) where the most common bugs are explained and shown the proper fix. I am particularly interested in vulnerable bugs that trigger a CVE

A: 

Actually there are few common things that comes under CVE and for that online CVE guides are good. But as far as bugs are concerned, these are basically your unexpected outputs. Even if you have correct implementation but with a minor change at some places leads to serious bugs.Since application uses modules as building blocks so these are coupled to each other, depending on Programmer to Programmer and their way to code. Better the programmer lesser the bugs. But bug will be there. And a developer can't ensure exactly what type of the bug it will produce. So it depends upon your application, what is the base? What are the outputs? from there you can have small set or predefined bugs but not all bugs. Finally with my experience i can say, no body blindly suggest you the list of bugs but here are some of the bugs that you might face while development. Since I am .Net developer (web), so my answer are related to that , hope it will make some sense to you:

  1. If using Sql Operations , vulnerable bugs are Sql Injection. Even if you use parameterized query there are changes of sql injection if you are using dynamic queries with ''+@abc+'' as params.

  2. Validation bugs : Most web devs uses javascript as client side scripting. But this can also be disabled and one can bypass.

  3. Not properly closing/disposing/releasing objects/instances leads your app a poor performer and vulnerable to code injections , depending upon your code

Right Now I have only three in mind. If need more and a .Net Dev the please download FxCop, anti scipt tools for more about the app. Also try googling on Application Threat Modelling http://www.owasp.org/index.php/Application_Threat_Modeling

Amit Ranjan
A: 

I think an all-encompassing book of security vulnerabilities and their fixes is a little far-fetched - especially since many of these vulnerabilities have yet to fixed.

Instead of taking a retrospective approach to security - analyzing a system for vulnerabilities after it has been developed - consider incorporating security concerns into your development process from the start.

I would suggest reading "best practices" books as these suggest the ways to avoid common security holes (e.g. buffer overflows, SQL injection, etc.)

advait