NEWS

Computing Now Exclusive Content — January 2009

News Archive

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

25 Reasons For Better Programming

by James Figueroa

The Common Weakness Enumeration project, a massive online dictionary of everything that could go wrong when programmers code software, took nearly a decade to compile from its beginnings as a basic list of common vulnerabilities and exposures developed by Mitre, a US government-sponsored research corporation. It's also the source of the "Top 25 Most Dangerous Programming Errors," a report culled from more than 700 entries in roughly three months, put together quickly with the help of more than 30 security experts from companies such as Microsoft and Symantec.

The result, a list released last week, includes some of the most common and easily exploited programming mistakes plaguing the software world, including pesky errors that crop up repeatedly, such as weak memory buffers. The SANS Institute, which spearheaded the Top 25 project, called it an important step for defining software security by focusing on the sources of vulnerabilities instead of the resulting bugs.

"There appears to be broad agreement on the programming errors," said SANS director Mason Brown. "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

According to SANS, most of the mistakes on the list are easy to prevent and should be on every programmer's mind. The top two—improper input validation and improper output encoding errors—resulted in more than 1.5 million Web site breaches in 2008. The organization envisions using the list as an educational and quality control tool, providing a single resource for budding programmers to learn what to avoid and the basis for a certification process for software vendors.

Not everyone is convinced that the list contains all the answers to faulty software, however. Alexander Wolfe, editor-in-chief of Information Week, blogged that the PC industry's boom led to haphazard development models that broke down traditional waterfall processes. "That waterfall model was replaced by a process (and I use that word loosely) where the modus operandi was to cram in as many features as possible before the shipping cut-off date, and then fix the problems in beta," Wolfe wrote.

Even Wolfe acknowledged, however, that the Top 25 list is an important step for security, a statement echoed by many of the participants who helped craft the document. "Let's use this list as a way to jumpstart the solutions—make 2009 a year to make things happen and solve these problems that have been around way too long," said Ryan Long, co-founder of Ounce Labs.

In an effort to make it as easy to understand as possible, the list's creators separated it into three categories—"Insecure Interaction Between Components," "Risky Resource Management," and "Porous Defenses." The entries also include a discussion that often compares coding mistakes to real-world situations, giving programmers another perspective to understand what can go wrong. For example, one frequently exploited mistake, improper access control, was compared to hosting a house party where one of the guests wanders off, looks through the medicine cabinet, and rummages through the host's nightstand. The discussion adds ways to prevent those attacks, from design to configuration.

The process to create the list did include some shuffling as participants decided what constituted the Top 25. Late in the project, randomness was placed on the list instead of unchecked return value, which often doesn't have an impact on code execution.


Suggestions