tags:

views:

36

answers:

2
Q: 

Common Bugs Book

I am looking for a book (or some other resource) where the most common bugs are explained and shown the proper fix. I am particularly interested in vulnerable bugs that trigger a CVE

A: 

Actually there are few common things that comes under CVE and for that online CVE guides are good. But as far as bugs are concerned, these are basically your unexpected outputs. Even if you have correct implementation but with a minor change at some places leads to serious bugs.Since application uses modules as building blocks so these are coupled to each other, depending on Programmer to Programmer and their way to code. Better the programmer lesser the bugs. But bug will be there. And a developer can't ensure exactly what type of the bug it will produce. So it depends upon your application, what is the base? What are the outputs? from there you can have small set or predefined bugs but not all bugs. Finally with my experience i can say, no body blindly suggest you the list of bugs but here are some of the bugs that you might face while development. Since I am .Net developer (web), so my answer are related to that , hope it will make some sense to you:

  1. If using Sql Operations , vulnerable bugs are Sql Injection. Even if you use parameterized query there are changes of sql injection if you are using dynamic queries with ''+@abc+'' as params.

  2. Validation bugs : Most web devs uses javascript as client side scripting. But this can also be disabled and one can bypass.

  3. Not properly closing/disposing/releasing objects/instances leads your app a poor performer and vulnerable to code injections , depending upon your code

Right Now I have only three in mind. If need more and a .Net Dev the please download FxCop, anti scipt tools for more about the app. Also try googling on Application Threat Modelling http://www.owasp.org/index.php/Application_Threat_Modeling

Amit Ranjan  2010-07-20 05:23:09
A: 

I think an all-encompassing book of security vulnerabilities and their fixes is a little far-fetched - especially since many of these vulnerabilities have yet to fixed.

Instead of taking a retrospective approach to security - analyzing a system for vulnerabilities after it has been developed - consider incorporating security concerns into your development process from the start.

I would suggest reading "best practices" books as these suggest the ways to avoid common security holes (e.g. buffer overflows, SQL injection, etc.)

advait  2010-07-20 05:30:32

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security