The SANS Institute released an updated version of its top 25 dangerous programming errors list this week, shedding light on the common coding errors attackers use to gain access to sensitive data and wreak havoc on corporate networks.
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list includes many of the same programming errors identified in 2009, but the organizers added a new set of profiles to help project managers uniquely tailor the list to their needs and mitigation techniques that could help software developers, designers and project managers adopt better practices and apply them to different parts of the software development lifecycle.
The list includes a variety of errors, from improper input validation to the use of a broken or risky cryptographic algorithm, which could be used by attackers to gain access to sensitive data using various techniques. Cross-site scripting (XSS) topped the list, followed by input validation errors making software vulnerable to SQL injection attacks and programming blunders leading to buffer overflow conditions.
Caleb SimaCEO, Armorize Technologies Inc.
Experts who helped develop the list say it sheds light on the growing need for better software development practices to address a documented rise in attacks against websites and web-based applications. Attackers are turning to automated tools that make it easier to seek out and exploit vulnerabilities. The list is being jointly managed by the SANS Institute and the MITRE Corp., which maintains the Common Weakness Enumeration, a formal list of software weaknesses.
Alan Paller, director of research at the SANS Institute, said the error list could be used as a standard for contract language between custom software buyers and developers. If businesses use the coding errors when putting together the contract language, it may help ensure buyers are not held liable for software containing faulty code, he said.
The list was first used in the procurement process last year when officials in New York State released a draft version of a procurement contract using the programming errors list. William Pelgrin, CISO of New York state and principal editor of the consensus procurement standards for secure code, drafted the new language. He said the language could help provide assistance with both in-house software development and hiring an external development team. The SANS Institute posted the draft of the procurement contract language. Paller said if used properly it could substantially reduce the risk of purchasing shoddy code and eliminate the problem of having to pay a fortune to repair coding errors.
"There is now a way that [enterprises] can begin to make the suppliers of that software accountable for problems," Paller said. "We see it as directly addressing the financial problem on fixing the [coding errors] and we see it as partially helping get rid of the errors in the first place."
The new version introduces focused profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. A set of nine different profiles breaks down the coding errors, listing certain weaknesses typically fixed in design and implementation, errors that can be emphasized when training new programmers and common holes that can be detected using automated versus manual code analysis.
The new list also provides a set of what researchers have identified as effective Monster Mitigations, helping developers reduce or eliminate entire groups of weaknesses by applying the techniques to different areas of the software development lifecycle. The mitigations are organized by target audience -- programmers, designers and project managers -- providing a blueprint to get started with process improvements.
"These things we hope will help people really get into the top 25 and apply it quickly and directly to the challenges they have," said software security expert Bob Martin, principal engineer, MITRE Corp.
Related secure software development news
New York drafts language demanding secure code: State will demand software makers certify their software does not contain the coding errors listed in the CWE/SANS Top 25 Dangerous Programming Errors.
SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.
Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.
While the list identifies the common errors that are not well understood by programmers, experts say enterprises have a long way to go to improve the internal workings of their software development practices, before any true progress can be made. While error lists help focus awareness on the issue of software coding flaws, better training and a shift to quality software over speed and cost cutting may be the bigger problem to solve.
Secure coding expert Caleb Sima, CEO of Santa Clara, Calif.-based Armorize Technologies Inc., a Web application security vendor, said the lists are a helpful educational tool and help people understand the kind of errors that need to be identified and repaired. Sima, the former co-founder and chief technology officer of SPI Dynamics, which was acquired by HP Software in August 2007, said secure software coding can be tricky when developers are under pressure to complete a project and move on to coding issues in other applications.
"When you take that list into a real world environment I think you start running into some different issues," Sima said. "Applying the full list is overload and it becomes complicated. It isn't a reasonable amount of work for an organization."
Sima said enterprises could better apply the coding error lists by identifying specific problems that can be reasonably addressed by software developers. Coding practices would be improved if only five reasonable issues were identified that are unique to the organization and can be fed into a code analysis tool, he said.
Security expert Gary McGraw, an outspoken opponent to vulnerability lists, said that while they help software developers think more about attackers and the vulnerabilities they go after, they do little to help improve software coding.
"There is much more to building secure software than hunting down 25 bugs," said McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.