The Register® — Biting the hand that feeds IT

Feeds

Experts trumpet '25 most dangerous' programming errors

And tips to avoid them

By Dan Goodin, 13th January 2009
  • print
  • alert

Agentless Backup is Not a Myth

Computer experts from more than 30 organizations worldwide have released a consensus list of the 25 most dangerous programming errors that lead to security breaches.

The list, which was spearheaded by the National Security Agency, is the first time a broad cross-section of the world's computer scientists have reached formal agreement on the most common programming pitfalls.

Few programming classes teach students how to avoid the mistakes, and organizations that develop software for sale generally don't screen their products for them. Instead, security literature and programs generally focuses on the vulnerabilities that result from such mistakes rather than on the mistakes themselves. By contrast, the consensus list concentrates on the programming errors that cause such vulnerabilities and offers concrete measures developers can take to avoid them.

"Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens," said Paul Kurtz, executive director of a group called the Software Assurance Forum for Excellence in Code.

The list could one day shift the responsibility of developing secure code to software companies by allowing buyers to get signed assurances that the products are free of the 25 errors, at least according to a press release announcing the list. (We find it hard to imagine Microsoft, Symantec, Oracle and any of the other software companies represented in the group agreeing to go along with such a plan, but there you go.)

New York state is already using the list to adjust contract language with software vendors, according to the press release.

More realistically, the list might help improve the quality of programming classes and training programs by creating consensus about what the most common mistakes are and what developers can do to prevent them.

The list is broken into three categories labeled insecure interaction between components (nine errors), risky resource management (nine also) and porous defenses (seven). Mistakes include improper input validation, external control of external state data and improper access control. Just two of the mistakes led to more than 1.5m website breaches last year, according to the SANS Institute. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (80)
Latest Comments
Anonymous Coward
Anonymous Coward

@ Torben Mogensen

Hi Torben,

I took a C/C++ programming course 10 years ago and we learned all that back then. Maybe my instructor was ahead of his time (or just knew what he was doing) or maybe too many programmers/project managers don't know or worse don't care?

I don't know the answer, but I don't think you can blame the language. If a project is so pushed for time that there is not enough time to do it correctly using a language that requires a little care, then perhaps the project has been improperly scheduled?

0
0
vincent himpe

@alain williams

How about the firmware that makes a diskdrive spin ? That is megabytes of embedded firmware. ZERO dynamic memory allocation ! For some portions of that firmware they go so far as to hand allocate the memory locations. This byte here, that word there. And the real critical code is handcrafted assembly. Interrupt handling has to be absolute and deterministic

0
0
vincent himpe

i blame the likes of RAM and FLASH memory and Von Nuemann architectures

It's all the fault of running code from RAM and FLASH and Von Neumann architectures

If you have a true harvard machine then there is no such thing as code injection from data space. There is code memory and data memory. you can not execute from data memory. Simple as that. And there is also I/O space. And only code can go to I/O space.

Then there is the memories : when processors only had ROM (mask rom or antifuse rom or OTP ) to run from, there were far fewer errors. First of all the code could not be overwritten by something malicious. The rom was masked during fabrication and that was it. Second point: quality control was much bette.r The attitude now is , oh well we'll fix it in the next release . If you have to shell out for a new maskset you will think at least 500000000 times about each and every instruction you put down.

What's my point ? Why does nobody make an OS that can boot from write protected flash ? you install on a clean machine. Load the OS core and drivers that you need. ONce this install is done : powerdown , flip WP switch and restart. If your machine catches a bug : hit the reset button. bye bye virus, spyware or whatever. I don't care. This could easily be done. Make a split registry and program files directory. The stuff that is critical sits in WP block. The visible file system is a logical OR between the flash and harddisk with the flash having priority. So if a nasty throws a couple of DLL's in virtual 'c:\windows\system' . Let it ! who cares. Those files end up on the harddisk. During boot the OS does not load anything from HDD. THe files on the flash have priority. If a duplicate file is found betwene flash and HDD you get a message after boot that file so and so is in location so and so and a duplicate exisits in flash. Cleanup ? yes-no?

Given that an OS + APPS is small. Couple of gigabyte and flash cost pennies : what are we waiting for ? I would immediatel ybuy such a machine. Primary volume : 8 or 16 or 32Gbyte flashdrive with mechanical WP ( a switch ), data volume : standard harddisk.

The only pain : when you need to install or do an upgrade you need to power down flick a switch and then do that again. Advantage : you always boot from a known good system. If an update is in order : download file. power down. flick switch , launch system ( now in known good state ) deploy update , power down , flick switch to safe , power up. Done. But then again. how many times a year do you install new software ? And when installing software you can give option : to safe zone or to harddisk. ( remember the visible filesystem is a logical OR between flash and HDD ( not at bit level of course but at file/directory level), with the files in flash having priority. So you can install your game to harddisk. but some app that is more critical to flash, in whihc case the installation procedure requires you to do the switch toggling. I would make the switch toggle something like : you need to press this button while powering up. That way you force people from doing the safe procedure.

It's so simple , i wonder why nobody has thought about this before. Especially these days when flash is 1$ a gigabyte...

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17