

CWE/SANS Top 25 Most Dangerous Software Errors (SQL injection is still #1) - rubinelli
http://cwe.mitre.org/top25/?2011

======
astine
I like how #25 is forgetting to use a salt when storing passwords. It seems to
me that the majority of security discussion on HN these days is about hashing
passwords and why one should use bcrypt or whatever, while everything from SQL
injection, to buffer overflow is listed as a bigger problem.

It seems to me that if someone can download your password database, you've got
more important issues than you're choice of password hash to worry about. I
won't say that making the one time decision to use a secure digest is a bad
investment, but shouldn't we focus more on preventing SQL-injection XSS than
password hashing?

~~~
rubinelli
Cryptography is fun, that's why people like to talk about it here, and why so
many inexperienced developers try to roll their own (#19). Making sure you
sanitized every input, authenticated every action, and capped every buffer, is
slow, tedious work (although a good architecture and automated tests can help
a lot here).

