Enterprise Business Application Security Development Issues

Revision as of 14:36, 15 September 2013 by Alexander (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Development of guides


This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems.


The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications.


There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown.


Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon.


Top 10 Server vulnerabilities (EASAD)

2 Improper Access Control
3 Information disclosure
4 Command/code injection in proprietary language
5 SQL Injection
6 Missing Encryption of Sensitive Data
7 Buffer overflows
8 Path traversal
10 Use of a Broken or Risky Cryptographic Algorithm

Top 10 Frontend vulnerabilities (EASFD)

1 Buffer overflows (ActiveX)
2 Exposed Dangerous Method or Function (ActiveX)
3 Insecure scripting server access
4 File handling Frontend vulnerabilities
5 Use of a Broken or Risky Cryptographic Algorithm
6 Cleartext Storage of Sensitive Information
7 Use of hard-coded password
8 Lack of integrity checking for front-end application
9 Cleartext Transmission of Sensitive Information
10 Vulnerable remote services


coming soon


Alexander Polyakov (ERPScan Research Group)
Mikhail Markevich
Dmitry Evdokimov (ERPScan Research Group)
Alexey Sintsov (ERPScan Research Group)