Security experts from 30 cybersecurity organizations hope a new list they created, outlining 25 common programming errors helps increase secure software development and reduce the number of coding vulnerabilities being attacked by cybercriminals on a daily basis.
The CWE/SANS Top 25 Most Dangerous Programming Errors list includes the most common programming errors and ways programmers can avoid them. Some of the errors listed include improper input validation and improper output encoding issues, SQL query structure problems, and errors that could cause data leakage and make software more vulnerable to an attack.
Secure software development:
Should static analysis be avoided during the software development process?: When the cost of addressing security issues increases as the software design lifecycle proceeds, see why expert Michael Cobb says that using static analysis early on can benefit your organization.
SANS: New exam program about more secure code: The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers.
Software still plagued with security holes, researcher says: In this podcast, noted security researcher Greg Hoglund, who specializes in Windows rootkits and secure coding, explains why software is just as vulnerable today as it was in 1999.
The list is being maintained by the MITRE Corporation, which maintains the Common Weakness Enumeration, a formal list of software weaknesses, and the SANS Institute, a security training and certification organization. The two organizations said the list was written to give programmers the ability to measure the security of the software they write and give colleges the ability to teach secure coding more effectively. It was also written so that non-experts can have a list to refer to when buying software or hiring a software development team.
Konrad Vesey, the information assurance directorate at the National Security Agency, said in a statement that the list makes software engineers more aware of software security rather than system administrators.
"When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence in product development is likely to emerge," Vesey said "The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."
Security experts involved in developing the list said it wasn't easy determining what programming errors to include. While some said the list may not have a major impact on secure coding, many called it a good start in raising awareness about secure software coding.
"It's not going to be a revolutionary change, but I think it's useful," said Jeff Williams, CEO of Aspect Security and chairman of the Open Web Application Security Project (OWASP) Foundation, which maintains a list of Top 10 Web application errors. "Bringing the power of SANS and MITRE together to market this thing and raise some awareness is really good for the community."
Williams said the list has a lot of overlap with the OWASP Top Ten. He said developing a top 25 list from the more than 600 vulnerabilities described in the Common Weakness Enumeration was extremely difficult. It's hard to develop something actionable with developers while driving organizations to make good decisions, he said.
"Certainly developers could look at this and get input on what they ought to be doing when they are writing their code," he said.
Chris Wysopal, software security expert and co-founder and chief technology officer of Veracode Inc., a secure application testing vendor, said he contributed to the list by looking at the different security issues his company finds prevalent in the code it reviews for customers.
"They are mistakes that we see in most applications which shows that the development community as a whole needs to be educated," Wysopal wrote in an email exchange. "In other words, it isn't just a few junior developers making the errors. The full CWE is over 600 types of programming problems and that is just too big a list for developers and testers to get their heads around."
The CWE/SANS Top 25 Errors list is organized into three categories: insecure interaction between components, risky resource management and porous defenses. The list will also have links to the full CWE entry data, data fields for weakness prevalence and consequences and the attack frequency against each vulnerability. The list will also reference remediation cost and ease of detection.
Ryan Barnett, Web security expert and director of application security at Web application firewall vendor Breach Security Inc., called the list a good compliment to vulnerability information maintained by other organizations. Barnett, a SANS Institute faculty member and member of the Web Application Security Consortium, has been developing a threat classification taxonomy for the consortium. He called the CWE/SANS Top 25 Errors list a very difficult list to put together. It was hard for those involved to agree on a final list, he said.
"Anytime you hear the title is a top-whatever-list, it tells you that it's just a starting point," Barnett said.
Jacob West, manager of Fortify Software Inc.'s security research group, served as a reviewer throughout the development of the list. He co-authored Secure Programming with Static Analysis.
"A key point that we make in [the book] is that most of the people building software are going to focus on things other than security (writing code, running test cases, deploying applications, etc)," West wrote in an email exchange. "These people are making security-critical decisions on a daily basis, but they can't afford to become security experts -- they've got other things to worry about."
West said the list will arm non-experts with the right processes to build security into the secure development lifecycle from the ground up. It also could foster more robust security training at colleges and universities, he said.
"Although it's been too long coming, the top universities across the country are beginning to offer courses that either address or focus entirely on software security," he said. "Security is a complicated field and we can't expect everyone, particularly software developers who have a wide range of other responsibilities, to become experts."