(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these programming errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
The impact of these programming errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.
People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University.
The MITRE and the SANS Institute managed the Top 25 Programming Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE's project engineers came from the US Department of Homeland Security's National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.
What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion.
"There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 programming errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."
The Office of the Director of National Intelligence expressed its support saying,
"We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations. The Top 25 programming errors initiative is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."
Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 Programming errors web site provides detailed and authoritative information on mitigation.
"Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).
Please note that the proposed procurement guidelines incorporate in part language utilizing the OWASP Secure Software Contract Annex.
Robert Martin, CWE Project Leader at MITRE heralded the effort of these contributors by saying, "It is gratifying to see the amount of collaboration and energy that all these serious, security-savvy people invested in making this list as accurate and authoritative as it can be. Very impressive!"
The Top 25 Programming Errors will have four major impacts:
Buyers will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors. Certification shifts responsibility to the vendor for correcting the errors and for any damage caused by those programming errors. The standard procurement language under development by the State of New York and other state governments already is being adjusted to use the Top 25 Programming Errors. Over time the multi-national Common Criteria program may also adopt the Top 25 as one approach for ensuring code purchased by the US government is free of the Top 25 errors.
Software testing tools will use the Top 25 in their evaluations and provide scores for the level of secure coding in software being tested. In parallel with this announcement, on January 12, one of the leading software testing vendors is announcing that its software will be able to test for and report on the presence of a large fraction of the Top 25 Programming Errors. Application development teams will use such testing software during the development process.
Colleges and others who prepare programmers will use the Top 25 Programming Errors as a foundation for curriculum that ensures their students know how to avoid the critical programming errors. One of the colleges that participated in developing the Top 25, UC Davis, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities. The Top 25 enables the clinic to prioritize errors in its review. Other colleges are beginning to emulate the secure coding clinics.
Employers will use the Top 25 Programming Errors list as a guide for evaluating and improving skills of programmers they hire and of outsourced programming talent. More than 100 large employers are already using a common assessment tool called the GSSP (GIAC Secure Software Programmer) to measure secure coding skills. The GSSP exams are being reviewed in an effort to fully incorporate and highlight mastery of programming knowledge needed to find and eliminate or avoid the Top 25 Programming Errors. Organizations with at least 500 programmers may have up to 100 of those programmers' secure coding skills assessed confidentially and at no cost. More data on the GSSP may be found at The SANS Software Security Institute Email firstname.lastname@example.org to get that started.
Courses are available that teach secure coding skills to programmers in C/C++, in Java, and in .NET languages. Get more information at The SANS Software Security Institute Courses Page.
We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.
Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following:
Each entry at the Top 25 Programming Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations...MORE >>
Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days...MORE >>
If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>
When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>
If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many...MORE >>
With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>
Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>
If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>
Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>
There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can...MORE >>
When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... MORE >>
If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time...MORE >>
For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when...MORE >>
You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>
When your precious system resources have reached their end-of-life, you need to...MORE >>
Just as you should start your day with a healthy breakfast, proper initialization helps to ensure...MORE >>
When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to...MORE >>
If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>
You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>
Hard-coding a secret account and password into your software's authentication module is...MORE >>
If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>
If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank...MORE >>
Spider Man, the well-known comic superhero, lives by the motto "With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky...MORE >>
Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls...MORE >>
MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site
SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
Email email@example.com for details. And see The SANS Software Security Institute Certification Page for the GSSP Blueprints.
SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
SAFECode Best Practices PDF
SAFECode Development Practices PDF
Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at:
SANS What Works in Internet Security.
New York State has produced draft procurement standards to allow companies to buy software with security baked in.
If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.
Draft New York State procurement language will be posted at SANS Application Security Contract.