In every web application security training class that I conduct, I keep repeating that programmers can eliminate a lot of security issues by doing two things:
- Validate all input properly
- Prevent information leakage, primarily by properly handling exceptions and giving out generic error messages.
This is based on my experience performing penetration tests on web applications since 2001. While my advice is based on my observations, I did not document the data to back this up. Now, the data has been provided by a third-party.
SANS, in collaboration with other organizations, has compiled and released a list of the Top 25 programming errors. This is a great list, because this lists the programming issues or the root causes that result in vulnerabilities. Of the 25 issues here, two of them caused more then 1.5 million security breaches in 2008 alone. The top issue that is listed is Improper Input Validation and Error Message Information Leak is right up there.
There are other important exploits in the list and most of you may be familiar with them: SQL injection, Cross-Site Scripting and OS Command Injection. While there are other specific things you can do to protect against these exploits, they can be mitigated a great deal if you do proper input validation.
While I strongly advise you to read the entire document and try to avoid/mitigate all the issues, the least you should do is validate all input properly and avoid giving away information that can be used to attack your site, by handling exceptions properly.