我建议查看CWE/SANS前25个最危险的编程错误。它在2010年进行了更新，并承诺在未来定期更新。2009年的修订版也可以使用。

从http://cwe.mitre.org/top25/index.html

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

我建议查看CWE/SANS前25个最危险的编程错误。它在2010年进行了更新，并承诺在未来定期更新。2009年的修订版也可以使用。

从http://cwe.mitre.org/top25/index.html

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

为什么是重要的。 这都是关于权衡。 密码学在很大程度上分散了人们对安全性的注意力。

只是想把这个分享给网页开发者:

security-guide-for-developershttps: / / github.com/FallibleInc/security-guide-for-developers

另外，请务必查看OWASP前10名列表，以了解所有主要攻击载体/漏洞的分类。

这些东西读起来很吸引人。学习像攻击者一样思考将训练您在编写自己的代码时思考什么。

记住，你(程序员)必须确保所有部分的安全，但攻击者只需要成功地找到你盔甲中的一个漏洞。 安全就是“未知的未知”的一个例子。有时你不知道可能的安全漏洞是什么(直到事后)。 漏洞和安全漏洞之间的区别取决于攻击者的智力。