Module developers have been asking questions about how to strengthen the security of their modules.
OWASP, the Open Web Application Security Project has recently released its Top Ten security problems for Web Applications.
You can download the document here:
http://prdownloads.sourceforge.net/owasp/OWASPTopTen2004.pdf?downloadThere are tools at the site that you might find handy:
http://www.owasp.org/The document goes into more detail about flaws and how to address them, but here is the abbreviated list of the Top Ten Security Vulnerabilities in web applications:
1. Unvalidated Input
Information not validated before used by the application.
2. Broken Access Control
Restrictions on Authenticated Users not enforced.
3. Broken Authentication and Session Management
Account sessions, tokens, cookies, etc. are not protected.
4. Cross-Site Scripting (XSS) Flaws
Attacker uses web application to deliver attack to user's browser.
5. Buffer Overflows
Unvalidated Input is used to crash a process and give control to attacker.
6. Injection Flaws
Attacker embeds malicious parameters that are passed to execute commands that would otherwise be unavailable.
7. Improper Error Handling
When errors are not handled properly, they may serve as a means of attack or provide vulerability details to an attacker.
8. Insecure Storage
Cryptographic security functions that can be difficult to implement properly allow some attackers access to credentials or information.
9. Denial of Service
Attacker consumes web application resources until the service is unable to provide access to other users or crashes completely.
10. Insecure Configuration Management
If the server you are running things on is insecure, the application (no matter how secure it is otherwise) is wide open to attack.
