Security experts identify 25 dangerous coding errors

By Robert Westervelt, News Editor 12 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts from 30 cybersecurity organizations hope a new list they created, outlining 25 common programming errors helps increase secure software development and reduce the number of coding vulnerabilities being attacked by cybercriminals on a daily basis.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The CWE/SANS Top 25 Most Dangerous Programming Errors list includes the most common programming errors and ways programmers can avoid them. Some of the errors listed include improper input validation and improper output encoding issues, SQL query structure problems, and errors that could cause data leakage and make software more vulnerable to an attack.

Secure software development: Should static analysis be avoided during the software development process?: When the cost of addressing security issues increases as the software design lifecycle proceeds, see why expert Michael Cobb says that using static analysis early on can benefit your organization. SANS: New exam program about more secure code: The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers. Software still plagued with security holes, researcher says: In this podcast, noted security researcher Greg Hoglund, who specializes in Windows rootkits and secure coding, explains why software is just as vulnerable today as it was in 1999.

The list is being maintained by the MITRE Corporation, which maintains the Common Weakness Enumeration, a formal list of software weaknesses, and the SANS Institute, a security training and certification organization. The two organizations said the list was written to give programmers the ability to measure the security of the software they write and give colleges the ability to teach secure coding more effectively. It was also written so that non-experts can have a list to refer to when buying software or hiring a software development team.

Konrad Vesey, the information assurance directorate at the National Security Agency, said in a statement that the list makes software engineers more aware of software security rather than system administrators.

"When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence in product development is likely to emerge," Vesey said "The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."

Security experts involved in developing the list said it wasn't easy determining what programming errors to include. While some said the list may not have a major impact on secure coding, many called it a good start in raising awareness about secure software coding.

"It's not going to be a revolutionary change, but I think it's useful," said Jeff Williams, CEO of Aspect Security and chairman of the Open Web Application Security Project (OWASP) Foundation, which maintains a list of Top 10 Web application errors. "Bringing the power of SANS and MITRE together to market this thing and raise some awareness is really good for the community."

Williams said the list has a lot of overlap with the OWASP Top Ten. He said developing a top 25 list from the more than 600 vulnerabilities described in the Common Weakness Enumeration was extremely difficult. It's hard to develop something actionable with developers while driving organizations to make good decisions, he said.

"Certainly developers could look at this and get input on what they ought to be doing when they are writing their code," he said.

SearchSecurity radio:

Chris Wysopal, software security expert and co-founder and chief technology officer of Veracode Inc., a secure application testing vendor, said he contributed to the list by looking at the different security issues his company finds prevalent in the code it reviews for customers.

"They are mistakes that we see in most applications which shows that the development community as a whole needs to be educated," Wysopal wrote in an email exchange. "In other words, it isn't just a few junior developers making the errors. The full CWE is over 600 types of programming problems and that is just too big a list for developers and testers to get their heads around."

The CWE/SANS Top 25 Errors list is organized into three categories: insecure interaction between components, risky resource management and porous defenses. The list will also have links to the full CWE entry data, data fields for weakness prevalence and consequences and the attack frequency against each vulnerability. The list will also reference remediation cost and ease of detection.

Ryan Barnett, Web security expert and director of application security at Web application firewall vendor Breach Security Inc., called the list a good compliment to vulnerability information maintained by other organizations. Barnett, a SANS Institute faculty member and member of the Web Application Security Consortium, has been developing a threat classification taxonomy for the consortium. He called the CWE/SANS Top 25 Errors list a very difficult list to put together. It was hard for those involved to agree on a final list, he said.

"Anytime you hear the title is a top-whatever-list, it tells you that it's just a starting point," Barnett said.

Jacob West, manager of Fortify Software Inc.'s security research group, served as a reviewer throughout the development of the list. He co-authored Secure Programming with Static Analysis.

"A key point that we make in [the book] is that most of the people building software are going to focus on things other than security (writing code, running test cases, deploying applications, etc)," West wrote in an email exchange. "These people are making security-critical decisions on a daily basis, but they can't afford to become security experts -- they've got other things to worry about."

West said the list will arm non-experts with the right processes to build security into the secure development lifecycle from the ground up. It also could foster more robust security training at colleges and universities, he said.

"Although it's been too long coming, the top universities across the country are beginning to offer courses that either address or focus entirely on software security," he said. "Security is a complicated field and we can't expect everyone, particularly software developers who have a wide range of other responsibilities, to become experts."

Tags: Software Development Methodology,  Vulnerability Risk Assessment,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Microsoft Windows XML flaw exploits test desktop antimalware Product Review: Shavlik's NetChk Compliance Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary