AppSec Blog: Category - Top25

AppSec Blog:

Ask the Expert - Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.

1. Although SQL Injection continues to be one of the most commonly exploited security vulnerabilities in the wild, Cross Site Scripting (XSS) is still the most common security problem in web applications. Why is this still the case? What makes XSS so difficult for developers to understand and to protect themselves from?

Mitigation of SQL Injection, from a developer point of view, is very straight forward. Parameterize your queries and bind your variables!



Top 25 Series - Summary and Links

As requested here are the links to all the posts on the Top 25 Most Dangerous Programming Errors. Please let us know if you have any suggestions or comments.

1 - Cross-Site Scripting (XSS)
2 - SQL Injection
3 - Classic Buffer Overflow
4 - Cross-Site Request Forgery (CSRF)
5 - Improper Access Control (Authorization)
6 -


Top 25 Series - Rank 20 - Download of Code Without Integrity Check

Checking the integrity of code you download is important and has to be done not just for the initial download, but for updates as well. We will discuss the options to implement integrity checks correctly.

Top 25 Series - Rank 25 - Race Conditions

Flying a lot, it happens once in a while that I arrive at the airport early enough to be offered to check in on an earlier flight. Usually the check-in Kiosk offers the option and lists the flight. Last year, I tried to took advantage of this offer, only to be told that the fligt was no longer available after selecting the earlier flight.

Well, not a big deal. I went to the gate, and waited for the later flight. As I tried to board it, my boarding pass in hand, I was told that there was no record of my reservation for this flight.

So what had happened? In this case, I can only speculate. But likely, a race condition occurred. Someone was being added to the earlier flight just as I was added. But before the system was able to check that my seat was actually available, I was removed from the later flight. Finally, as the change failed, the system "forgot" to place me back on the later flight.

Race conditions are very common in shared applications like web


Top 25 Series - Rank 24 - Use of a Broken or Risky Cryptographic Algorithm

There are a few rules every developer should follow when applying encryption:

- don't invent your own algorithm
Cryptography is a difficult topic, best left to the experts. Implementing encryption algorithms is difficult and there are many traps waiting. Many times, you can get away with a broken custom algorithm, but only because nobody challenges the implementation. If you are happy coding unimportant websites nobody needs, then your time is probably cheap enough where you don't mind wasting a few hours implementing your own broken algorithm.

It is best to stick with standard algorithms. Currently, AES (American Advanced Encryption Standard) is the standard encryption algorithm. The advantage of using a standard like AES is that you will find support in various programming languages and that future support is likely as well.

- use the strongest algorithm you can find
Cryptography is a constant