Story continued from Page 1
If you are purchasing code, but dont have an internal software security process — as is the case for the majority of businesses — you need to follow an industry consensus of what the definition of minimum due care is for software sellers. With the recent release of the CWE/SANS list of Top 25 Most Dangerous Programming Errors, every company now has a place to start.
The CWE/SANS Top 25 was created by a group of individuals from over 30 organizations from government, academia, and industry. (Disclosure: I was one of the contributors.) It is not a list of attacks, but a list of root causes, the programming errors, that lead to successful attacks. If you eliminate the root causes, you eliminate the vulnerabilities. The programming errors were selected based on prevalence and severity. These are the programming errors that end up causing the vast majority of application security breaches.
One attribute I like about the CWE/SANS Top 25 is that there was so much agreement across a wide group of contributors of what should be on the list. The second attribute I like about the list is it is short.
Software security experts are sometimes their own worst enemy. We revel in the details and complication of coding errors. It sometimes seems as if there are hundreds of different ways a vulnerability can arise in code and indeed the Common Weakness Enumeration (CWE) has cataloged over 600 classes of programming errors. If you look at the prevalence of what ends up being the root cause of vulnerabilities reported in real world software, you will see that after the top 25, its exceedingly rare. The 26th most prevalent problem is CRLF Injection and it was reported in 0.2 percent of cases, or in eight out of 4855 total vulnerabilities, in 2008.
The 25 most prevalent entries in CVE — not exactly the same as the CWE/SANS Top 25 — make up over 70 percent of the reported vulnerabilities. By focusing on the 4 percent of common CVE cases, we are using the 80/20 rule to help bound a problem to the most important part that you can solve in a reasonable amount of time. The CWE/SANS Top 25 takes a long and complex list of errors that a programmer could make and makes prevention tractable.
With the CWE/SANS Top 25, software purchasers can force third-party contract coders to avoid a reasonable list of programming errors. One organization, New York State, has drafted Application Security Procurement Language to "make code writers responsible for checking the code and for fixing security flaws before software is delivered." I expect more organizations will follow suit, as progress is made in codifying accountability and the processes needed to enforce contract terms.
This is the best way forward. If purchasers don't hold sellers accountable, we will never solve the software security problem.