Top 25 coding Defects: Agreement Will Change How Organizations Buy Software

Posted by: Lava Kafle

Top 25 coding Defects: Agreement Will Change How Organizations Buy Software:
SANS Institue reveals them here:
Clicking “MORE” in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following:

* links to the full CWE entry data,
* data fields for weakness prevalence and consequences,
* remediation cost,
* ease of detection,
* attack frequency and attacker awareness
* related CWE entries
* related patterns of attack for this weakness.

Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation

It’s the number one killer of healthy software, so you’re just asking for trouble if you don’t ensure that your input conforms to expectations…MORE >>
CWE-116: Improper Encoding or Escaping of Output

Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days…MORE >>
CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

If attackers can influence the SQL that you use to communicate with your database, then they can…MORE >>
CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications…If you’re not careful, attackers can…MORE >>
CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers…MORE >>
CWE-319: Cleartext Transmission of Sensitive Information

If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many…MORE >>
CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim…MORE >>
CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable…MORE >>
CWE-209: Error Message Information Leak

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data…MORE >>
CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

Buffer overflows are Mother Nature’s little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you’re…MORE >>
CWE-642: External Control of Critical State Data

There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can…MORE >>
CWE-73: External Control of File Name or Path

When you use an outsider’s input while constructing a filename, you’re taking a chance. If you’re not careful, an attacker could… MORE >>
CWE-426: Untrusted Search Path

If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing. This causes the software to access the wrong resources at the wrong time…MORE >>
CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

For ease of development, sometimes you can’t beat using a couple lines of code to employ lots of functionality. It’s even cooler when…MORE >>
CWE-494: Download of Code Without Integrity Check

You don’t need to be a guru to realize that if you download code and execute it, you’re trusting that the source of that code isn’t malicious. But attackers can perform all sorts of tricks…MORE >>
CWE-404: Improper Resource Shutdown or Release

When your precious system resources have reached their end-of-life, you need to…MORE >>
CWE-665: Improper Initialization

Just as you should start your day with a healthy breakfast, proper initialization helps to ensure…MORE >>
CWE-682: Incorrect Calculation

When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to…MORE >>
CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)

If you don’t ensure that your software’s users are only doing what they’re allowed to, then attackers will try to exploit your improper authorization and…MORE >>
CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers…MORE >>
CWE-259: Hard-Coded Password

Hard-coding a secret account and password into your software’s authentication module is…MORE >>
CWE-732: Insecure Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world – well, that’s just what they’ll become…MORE >>
CWE-330: Use of Insufficiently Random Values

If you use security features that require good randomness, but you don’t provide it, then you’ll have attackers laughing all the way to the bank…MORE >>
CWE-250: Execution with Unnecessary Privileges

Spider Man, the well-known comic superhero, lives by the motto “With great power comes great responsibility.” Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky…MORE >>
CWE-602: Client-Side Enforcement of Server-Side Security

Remember that underneath that fancy GUI, it’s just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls…

National Security Agency’s Information Assurance Directorate
“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.”
-Tony Sager, National Security Agency’s Information Assurance Directorate
US Department of Energy:
“The CWE/SANS Top 25 effort is extremely valuable and will provide many organizations with a tangible way to begin addressing software security problems.”
- Michael Klosterman, SCADA Operations, Western Area Power Association, US Department of Energy
Depository Trust:
“The CWE-SANS Top 25 Errors is a vital tool for organizations that believe in a risk-based approach to software security enabling them to assess the specific vulnerabilities identified in their environments compared with a composite perspective of risk from industry recognized experts.”
- Jim Routh, CISO, The Depository Trust & Clearing Corporation
Microsoft:
“The 2009 CWE/SANS Top 25 Programming Errors project is a great resource to help software developers identify which security vulnerabilities are the most important to understand, prevent and fix.”
- Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corp.
OWASP Foundation:
“When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs.”
- Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
Symantec:
“The 2009 CWE/SANS Top 25 Programming Errors reflects the kinds of issues we’ve seen in application software and helps provide us with actionable direction to continuously improve the security of our software.”
- Wesley H. Higaki, Director, Software Assurance, Office of the CTO, Symantec Corporation
Software Assurance Consortium:
“As an advocate for the consumer, this is viewed as a giant step forward in providing security for all users. It increases awareness of the various levels of secure software by highlighting its effects on our daily use of all software products. The CWE/SANS Top 25 effort adds the capability to our tool box which in turn aids the SwAC in our mission to bring together Industry and Government to transform the security and dependability of all software products.”
- Dan Wolf, Director, Software Assurance Consortium.
EMC:
“The Top 25 List puts a powerful tool into the hands of the programmers along with every person involved in designing and developing software. The simple fact that such a list now exists will allow software assurance to be practiced more effectively.”
- Dan Reddy, Consulting Product Manager, EMC Product Security Office
Purdue:
“The CWE Top 25 should be watched because targeting the most troublesome programming mistakes can potentially reduce the occurrence of vulnerabilities and our exposure at a national level, while diminishing our undesirable dependence on patches.”
- Pascal Meunier, CERIAS, Purdue University
Secunia:
“This Top 25 is without a doubt one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The list, which has been created based on feedback from many experts in the security industry, focuses on selection criteria like severity and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in a easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won’t make the same mistakes in 2009 as they’ve made previously.”
- Carsten Eiram, Chief Security Specialist, Secunia.
Ken van Wyk:
“This list of programming errors should be enormously useful to the community. It serves to help us all get our collective “arms around” understanding the most common security defects in our code, just as the OWASP Top 10 helps us understand the attacks against those defects.”
- Kenneth R. van Wyk, KRvW Associates, LLC
Veracode:
“A prioritized list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The Top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers.”
- Chris Wysopal, Co-Founder and CTO of Veracode, Inc.
Core Security Technologies:
“This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities in need of a more rational way to address what are currently the most urgent and relevant software security problems.”
- Ivan Arce, CTO of Core Security Technologies Inc.
Breach Security:
“The CWE/SANS Top 25 List is an excellent tactical resource for organizations to prioritize and remediate the root causes of today’s successful attacks. This should be required reading for all developers as it is a “Cliff Notes” version of essential secure coding principles.”
- Ryan C. Barnett, Director of Application Security Research, Breach Security
McAfee:
“The 2009 CWE/SANS Top 25 Programming Errors effort is right on target. By educating software developers on the most important issues and showing them how to avoid writing security bugs, this effort will help programmers correct code issues before they become security problems.”
- Kent Landfield, Director, Risk and Compliance Security Research, McAfee, Inc.
Ounce Lab:
“Let’s use this list as a way to jumpstart the solutions – make 2009 a year to make things happen and solve these problems that have been around way too long. Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late.”
- Ryan Berg, Co-Founder and Chief Scientist, Ounce Labs
Grammatech:
“Bugs in software are a plague on our profession and bad for business. They are inevitable, yet understanding of which bugs are most important is often gained the hard and expensive way when they show up in the field. The CWE/SANS Top 25 effort will raise awareness of the huge variety of different kinds of defects that can occur, and will help programmers focus on those that matter most to application quality and security.”
- Paul Anderson – Vice President of Engineering, Grammatech Inc.

http://www.sans.org/top25errors/

Top 25 coding Defects: Agreement Will Change How Organizations Buy Software was last modified: January 17th, 2009 by Lava Kafle

Post Your Comments:

Your email address will not be published. Required fields are marked *