Bethesda (ip-192.com): The Sans Institute, an information security, training and certification company, has published a list of the "Top 25 Programming Errors." The list is divided into three categories. It lists eight errors in the "Insecure Interaction Between Components" section, 10 errors fall into the "Risky Resource Management" section, and 7 errors are listed as "Porous Defenses."
These 25 programming errors have been the cause of nearly every major type of cyber attack, including recent penetrations of Google, power systems, military systems, and millions of other attacks on small businesses and home users, says Sans in a press release. A global effort to eliminate these programming errors is the first step against organized cyber criminals, and the persistent threat from competing nation states.
The list prioritizes its entries using inputs from 28 different organizations who have evaluated each weakness based on prevalence and importance. It provides a small set of the most effective mitigations, helping developers reduce or eliminate entire groups of weaknesses. "There appears to be broad agreement on the programming errors," said Mason Brown, Director at Sans. "Now it is time for buyers to say we are mad as hell, and we are not going to buy software unless you get rid of these errors before you deliver it to us."
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications, according to Sans. It is closely followed by improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') and Cross-Site Request Forgery (CSRF).
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') is a critical error in the Risky Resource Management section, followed by improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion').
Improper Access Control (Authorization) is listed as the number one risk in the category "Porous Defenses," followed by Reliance on Untrusted Inputs in a Security Decision and Missing Encryption of Sensitive Data.
The top 25 errors List is updated regularly and posted at both the SANS and Mitre sites. While Mitre maintains the CWE (Common Weakness Enumeration) web site, Sans maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills.
The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
Recent Comments