Security experts from 30 cybersecurity organisations hope a new list they created, outlining 25 common programming errors helps increase secure software development and reduce the number of coding vulnerabilities being attacked by cybercriminals on a daily basis.
The CWE/SANS Top 25 Errors list includes the most common programming errors and ways programmers can avoid them. They include improper input validation and improver output encoding issues, SQL query structure problems, and errors that could cause data leakage and make software more vulnerable to an attack.
The list is being maintained by the MITRE Corporation, which maintains the Common Weakness Enumeration, a formal list of software weaknesses, and the SANS Institute, a security training and certification organisation. The two organisations said the list was written to give programmers the ability to measure the security of the software they write and give colleges the ability to teach secure coding more effectively. It was also written so that non-experts can have a list to refer to when buying software or hiring a software development team.
Konrad Vesey, the information assurance directorate at the US National Security Agency said in a statement that the list turns software security awareness from the system administrator to the software engineer.
"When consumers see that most vulnerabilities are caused by a mere twenty-five weaknesses, a new standard for due diligence in product development is likely to emerge," Vesey said "The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."
Security experts involved in developing the list said it wasn't easy determining what programming errors would make the list. While some said the list may not have a major impact on secure coding, many called it a good start in raising awareness about secure software coding.
"It's not going to be a revolutionary change but I think it's useful," said Jeff Williams, CEO of Aspect Security and chairman of the Open Web Application Security Project (OWASP) Foundation, which maintains a list of Top 10 Web application errors. "Bringing the power of SANS and Mitre together to market this thing and raise some awareness is really good for the community."
Williams said the list has a lot of overlap with the OWASP Top Ten. He said developing a top 25 list from the more than 600 vulnerabilities described in the Common Weakness Enumeration was extremely difficult. It's hard to develop something actionable with developers while driving organisations to make good decisions, he said.
"Certainly developers could look at this and get input on what they ought to be doing when they are writing their code," he said.
Software security expert, Chris Wysopal, said he contributed to the list by looking at the different security issues his company finds prevalent in the code it reviews for customers.
"They are mistakes that we see in most application which shows that the development community as a whole needs to be educated," Wysopal said in an email exchange. "In other words it isn't just a few junior developers making the errors. The full CWE is over 600 types of programming problems and that is just to big a list for developers and testers to get their heads around."
The CWE/SANS Top 25 Errors list is organised into three categories, Insecure interaction between components, risky resource management, and porous defences. The list will also have links to the full CWE entry data, data fields for weakness prevalence and consequences and the attack frequency against each vulnerability. The list will also reference the remediation cost and the ease of detection.