The SANS Institute yesterday released a list of what they deem the 25 most dangerous programming errors found in software today. They claim that just two of these errors led to over 1.5 million web site security breaches last year.
The list was compiled by some of the most respected security experts in the world and include representatives from Microsoft, Symantec, RSA and even the NSA. "There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."
The hope is that if these warnings are heeded and the workarounds adopted widely then software across the board will be much safer, reassuring consumers that the programs they use will not damage their computers or reveal confidential information to unprivileged people. It is also hoped that programmers will have tools created as a result of the publication of this list that consistently measure the security of the software they are writing and colleges will be able to teach secure coding more confidently. Employers will also be able to ensure they hire programmers with this knowledge and be able to train their existing workforce so software is not written with these errors in them.
Tony Sager from the US National Security Agency's Information Assurance Directorate says that "The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively."
The full list of the top 25 most dangerous programming errors follows and more details can be found on the SANS Institute website at this address: www.sans.org/top25errors
- CWE-20: Improper Input Validation
- CWE-116: Improper Encoding or Escaping of Output
- CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
- CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
- CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
- CWE-319: Cleartext Transmission of Sensitive Information
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-362: Race Condition
- CWE-209: Error Message Information Leak
- CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
- CWE-642: External Control of Critical State Data
- CWE-73: External Control of File Name or Path
- CWE-426: Untrusted Search Path
- CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
- CWE-494: Download of Code Without Integrity Check
- CWE-404: Improper Resource Shutdown or Release
- CWE-665: Improper Initialization
- CWE-682: Incorrect Calculation
- CWE-285: Improper Access Control (Authorization)
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-259: Hard-Coded Password
- CWE-732: Insecure Permission Assignment for Critical Resource
- CWE-330: Use of Insufficiently Random Values
- CWE-250: Execution with Unnecessary Privileges
- CWE-602: Client-Side Enforcement of Server-Side Security
References:
No comments:
Post a Comment