25 Reasons For Better Programming
The Common Weakness Enumeration project, a massive online dictionary of everything that could go wrong when programmers code software, took nearly a decade to compile from its beginnings as a basic list of common vulnerabilities and exposures developed by Mitre, a US government-sponsored research corporation. It's also the source of the "Top 25 Most Dangerous Programming Errors," a report culled from more than 700 entries in roughly three months, put together quickly with the help of more than 30 security experts from companies such as Microsoft and Symantec.
The result, a list released last week, includes some of the most common and easily exploited programming mistakes plaguing the software world, including pesky errors that crop up repeatedly, such as weak memory buffers. The SANS Institute, which spearheaded the Top 25 project, called it an important step for defining software security by focusing on the sources of vulnerabilities instead of the resulting bugs.
"There appears to be broad agreement on the programming errors," said SANS director Mason Brown. "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."
According to SANS, most of the mistakes on the list are easy to prevent and should be on every programmer's mind. The top two—improper input validation and improper output encoding errors—resulted in more than 1.5 million Web site breaches in 2008. The organization envisions using the list as an educational and quality control tool, providing a single resource for budding programmers to learn what to avoid and the basis for a certification process for software vendors.
Not everyone is convinced that the list contains all the answers to faulty software, however. Alexander Wolfe, editor-in-chief of Information Week, blogged that the PC industry's boom led to haphazard development models that broke down traditional waterfall processes. "That waterfall model was replaced by a process (and I use that word loosely) where the modus operandi was to cram in as many features as possible before the shipping cut-off date, and then fix the problems in beta," Wolfe wrote.
Even Wolfe acknowledged, however, that the Top 25 list is an important step for security, a statement echoed by many of the participants who helped craft the document. "Let's use this list as a way to jumpstart the solutions—make 2009 a year to make things happen and solve these problems that have been around way too long," said Ryan Long, co-founder of Ounce Labs.
In an effort to make it as easy to understand as possible, the list's creators separated it into three categories—"Insecure Interaction Between Components," "Risky Resource Management," and "Porous Defenses." The entries also include a discussion that often compares coding mistakes to real-world situations, giving programmers another perspective to understand what can go wrong. For example, one frequently exploited mistake, improper access control, was compared to hosting a house party where one of the guests wanders off, looks through the medicine cabinet, and rummages through the host's nightstand. The discussion adds ways to prevent those attacks, from design to configuration.
The process to create the list did include some shuffling as participants decided what constituted the Top 25. Late in the project, randomness was placed on the list instead of unchecked return value, which often doesn't have an impact on code execution.