Mitre started the Common Vulnerabilities and Exposures (CVE) list to provide a standard way of referring to a specific security vulnerability. Once CVE was established, Mitre started Common Weakness Enumeration (CWE), which is a structured way of describing the weakness(es) that allowed a vulnerability to exist.
The Top 25 Most Dangerous Programming Errors comes from looking at the combination of CVE and CWE and noticing what errors were at the root of the worst vulnerabilities. This list was developed as a collaboration of the SANS Institute, MITRE, and many top software security experts in the US and Europe. Unfortunately, way too many vulnerabilities stem from these few mistakes. The goal of the list is to educate programmers on how to eliminate the most common and dangerous programming errors. This blog, while not endorsed by Mitre or SANS, aims to further explain and describe the problems, show what good and bad code looks like, and discuss how to do testing for these problems.
In addition to the CWE/SANS Top 25, I will also be referencing the OWSAP Top 10 web application security errors.
The Open Web Application Security Project (OWASP) is an organization devoted to improving web application and other computer system security. One part of what they do is to produce a list of the top 10 security flaws in web applications. This book uses the 2013 version of this list, the most recent one available. As you can imagine, these flaws tend to stem from the same mistakes that appear in the Top 25 list, and there is a large amount of overlap between the two lists.
The existence of these lists show that schools have not been doing a sufficient job of teaching secure coding techniques and that developers are slow to learn from the mistakes of others. In fact, the Defense Information Systems Agency (DISA) has its Application Security and Development (ASD) Security Technical Implementation Guide (STIG) that applies to all Department of Defense (DoD) developed, architected, and administered applications and systems connected to DoD networks. One part of this standard says, “The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.” Reading this book and doing the exercises might count as some of your annual training. Or, slipping an ad in, Kenneth works with SkillBridge, a company who specializes in training developers in how to produce secure code. Feel free to contact them for more information.
