, SecurityFocus 2009-01-13
Software makers, security vendors, and government agencies teamed up on Monday to create a list of the 25 most severe software issues and aimed to use various tools including contract language to teach developers to avoid the mistakes.
The brainchild of Alan Paller, director of research at the SANS Institute, and Steve Christey and Bob Martin, both of the MITRE Corp., the Top 25 Most Dangerous Programming Errors includes issues well known in the security community, such as improper input validation and failure to preserve SQL query structure, but which are rarely taught to developers. While SANS has released lists of top vulnerabilities in the past, this is the first time that the training organization has teamed up to release a list of bad programming practices that lead to vulnerabilities, Paller said.
"The real problem with the Top 20 is that it failed," Paller said on a conference call on Monday. "The number of the new vulnerabilities was so great, that your ability to get your arms around the question was too hard."
The latest list takes a step down the development ladder and tries to head off security problems where they originate — at the design and programming stages, he said.
"This is not about vulnerabilities but the programming errors that lead to the vulnerabilities," Paller said.
Along with the list, the SANS Institute and MITRE announced pledges of support from Microsoft, Symantec, McAfee, EMC, the Department of Homeland Security, the National Security Agency, the Department of Energy, the University of California at Davis, Purdue University and others. Symantec is the owner of SecurityFocus.
The latest initiative to reduce software vulnerabilities comes as the U.S. government has quickly increased its focus on cybersecurity. While years of poor grades under the Federal Information Security Management Act (FISMA) have done little to improve information-technology security within federal agencies, major attacks on government networks and the resultant congressional hearings have lent momentum to efforts to lock down computers. The Bush Administration launched the Federal Desktop Core Configuration program and the Trusted Internet Connection initiative in 2007, and last year, the president signed the National Security Presidential Directive 54/Homeland Security Presidential Directive 23 creating the Comprehensive National Cybersecurity Initiative (CNCI).
The incoming Obama Administration appears ready to keep the focus on improving network security. While the administration's transition team has not signaled its policy, some members of the team are closely connected to a report released in December, calling for a White House office in charge of coordinating cybersecurity policy. In addition, the President-elect has first-hand experience with suffering a cyber attack: Both the Obama and McCain campaigns suffered network intrusions last summer.
The Top-25 list — formally known as the Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors — should act as a roadmap for universities pondering what they should teach their graduating computer-science students and for software-testing firms interested in catching the most serious bugs, said Chris Wysopal, chief scientist of software-testing firm Veracode.
"Finally, we have a consensus definition of the programming errors that are so prevalent and dangerous that no software should be delivered to the customer with these weaknesses," Wysopal said.
The list of vulnerabilities is broken into three sections: Nine errors classified as Insecure Interactions Between Components, another nine errors group together as Risky Resource Management issues, and seven flaws labeled Porous Defenses.
"The list turned out to be (driven by) a combination of how frequent these weaknesses crop up in code and how significant the damage is," said MITRE's Martin during the Monday conference call.