Article

SANS Institute, MITRE release new top 25 dangerous coding errors list

Robert Westervelt, News Director

The SANS Institute released an updated version of its Top 25 Most Dangerous Programming Errors list this week, shedding light on common coding errors attackers use to gain access to sensitive data and wreak havoc on corporate networks.

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

    Requires Free Membership to View

list includes many of the same errors identified in 2009, but the organizers added a new set of profiles to help project managers uniquely tailor the list to their needs, and also added mitigation techniques that could help software developers, designers and project managers adopt better practices and apply them to different parts of the software development lifecycle.

The list includes a variety of errors, from improper input validation to the use of a broken or risky cryptographic algorithm, which could be used by attackers to gain access to sensitive data. Cross-site scripting (XSS) topped the list, followed by software vulnerability errors that cause SQL injection attacks and programming blunders that lead to buffer overflow conditions.

Experts who helped develop the list said it sheds light on the growing need for better software development practices in order to defend against the rise in attacks against websites and Web-based applications. Attackers are turning to automated tools, making it easier to seek out and exploit vulnerabilities. The list is being jointly managed by the SANS Institute and the MITRE Corp., which maintains the Common Weakness Enumeration, a formal list of software weaknesses.

Alan Paller, director of research at the SANS Institute, said the list could be used as a standard for contract language between custom software buyers and developers. If businesses use the coding errors when putting together the contract language, it may help ensure buyers are not held liable for software containing faulty code, he said.

The list was first used in the procurement process last year when officials in New York released a draft version of a procurement contract using the programming errors list. William Pelgrin, director of the New York state Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) and principal editor of the consensus procurement standards for secure code, drafted the new language. He said the language could help provide assistance with both in-house software development and hiring an external development team. The SANS Institute posted the draft of the procurement contract language. Paller said if used properly it could substantially reduce the risk of purchasing shoddy code and eliminate the problem of having to pay a fortune to repair coding errors.

"There is now a way that [enterprises] can begin to make the suppliers of that software accountable for problems," Paller said. "We see it as directly addressing the financial problem on fixing the [coding errors] and we see it as partially helping get rid of the errors in the first place."

The new version introduces focused profiles that allow developers and other users to select parts of the list that are most relevant to their concerns. A set of nine different profiles breaks down the coding errors, listing certain weaknesses typically fixed in design and implementation, errors that can be emphasized when training new programmers, and common holes that can be detected using automated versus manual code analysis.

The new list also provides a set of what researchers have identified as effective "monster mitigations": Helping developers reduce or eliminate entire groups of weaknesses by applying the techniques to different areas of the software development lifecycle. The mitigations are organized by a target audience -- programmers, designers and project managers -- providing a blueprint to get started with process improvements.

"These things we hope will help people really get into the top 25 and apply it quickly and directly to the challenges they have," said software security expert Bob Martin, principal engineer at MITRE Corp.

While the list identifies the common errors that are not well understood by programmers, experts say enterprises have a long way to go to improve the internal workings of their software development practices, before any true progress can be made. While error lists help focus awareness on software coding flaws and issues, better training and a shift to quality software over speed and cost cutting may be the bigger problem to solve.

Secure coding expert Caleb Sima, CEO of Santa Clara, Calif.-based Armorize Technologies Inc., a Web application security vendor, said the lists are a helpful educational tool and help people understand the kind of errors that need to be identified and repaired. Sima, the former co-founder and chief technology officer of SPI Dynamics Inc., which was acquired by HP Software Inc. in August 2007, said secure software coding can be tricky when developers are under pressure to complete a project and move on to coding issues in other applications.

"When you take that list into a real world environment I think you start running into some different issues," Sima said. "Applying the full list is overload and it becomes complicated. It isn't a reasonable amount of work for an organization."

Sima said enterprises could better apply the coding error lists by identifying specific problems that can be reasonably addressed by software developers. Coding practices would be improved if only five reasonable issues were identified that are unique to the organization and can be fed into a code analysis tool, he said.

Security expert Gary McGraw, an outspoken opponent to vulnerability lists, said that while they help software developers think more about attackers and the vulnerabilities they go after, they do little to help improve software coding.

"There is much more to building secure software than hunting down 25 bugs," said McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.