Cyber Strategies for a World at War

OPEN SOURCE AGGREGATION & ANALYSIS

CWE/SANS TOP 25 Most Dangerous Programming Errors

Experts Announce Agreement on the 25 Most Dangerous Programming Errors – And How to Fix Them
Agreement Will Change How Organizations Buy Software.

By Bob Martin, MITRE (Project Manager)
Questions: top25@sans.org

(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS’s National Cyber Security Division and NSA’s Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University. The MITRE and the SANS Institute managed the Top 25 Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE’s project engineers came from the US Department of Homeland Security’s National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion. “There appears to be broad agreement on the programming errors,” says SANS Director, Mason Brown, “Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”

The Office of the Director of National Intelligence expressed its support saying, “We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation’s critical infrastructure depend on commercial products for business operations. The Top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education.”

Until now, most guidance focused on the ‘vulnerabilities’ that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed and authoritative information on mitigation. “Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens.” said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

What You Will Find In This Announcement:

  • Which People and Organizations Made Substantive Contributions to the Top 25 Errors List?
    Please note that the proposed procurement guidelines incorporates in part language utilizing the OWASP Secure Software Contract Annex.
    https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
  • How Will the Top 25 Errors Be Used?
  • How Important Are the Top 25 Errors?
  • What Errors Are Included in the Top 25?
  • Resources to Help Organizations Eliminate The Errors

Continue reading…

TAKE THE CSWW POLL LOCATED TO THE RIGHT OF THIS PAGE

Advertisements

Filed under: Business, cyber security, News, Training, , , , , , , , , , , , , , ,

Join the Discussion

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Reader Survey


ADVERTISEMENT

In May 2013, Glenn Greenwald set out for Hong Kong to meet an anonymous source who claimed to have astonishing evidence of pervasive government spying and insisted on communicating only through heavily encrypted channels. That source turned out to be the twenty-nine-year-old NSA contractor Edward Snowden, and his revelations about the agency's widespread, systemic overreach proved to be some of the most explosive and consequential news in recent history, triggering a fierce debate over national security and information privacy... [MORE]


ADVERTISEMENT

In Cybersecurity and CyberWar: What Everyone Needs to Know®, New York Times best-selling author P. W. Singer and noted cyber expert Allan Friedman team up to provide the kind of easy-to-read, yet deeply informative resource book that has been missing on this crucial issue of 21st century life. Written in a lively, accessible style, filled with engaging stories and illustrative anecdotes, the book is structured around the key question areas of cyberspace and its security: how it all works, why it all matters, and what can we do... [MORE]


ADVERTISEMENT

Dispatched by M to investigate the mysterious disappearance of MI6’s Jamaica station chief, Bond was expecting a holiday in the sun. But when he discovers a deadly centipede placed in his hotel room, the vacation is over.

On this island, all suspicious activity leads inexorably to Dr. Julius No, a reclusive megalomaniac with steel pincers for hands. To find out what the good doctor is hiding, 007 must enlist the aid of local fisherman Quarrel and alluring beachcomber Honeychile Rider. Together they will combat a local legend the natives call “the Dragon,” before Bond alone must face the most punishing test of all: an obstacle course—designed by the sadistic Dr. No himself—that measures the limits of the human body’s capacity for agony.

The text in this edition has been restored by the Fleming family company Ian Fleming Publications, to reflect the work as it was originally published... [MORE]



 
The Art of Attention

© 2016 PROSOCHĒ. All Rights Reserved.
Fair Use Policy ҩ Terms of Service ҩ Privacy Policy ҩ Contact

Cyber Threat Assessment

 


ADVERTISEMENT

In this New York Times bestselling investigation, Ted Koppel reveals that a major cyberattack on America’s power grid is not only possible but likely, that it would be devastating, and that the United States is shockingly unprepared... [MORE]


ADVERTISEMENT

As cyber-attacks dominate front-page news, as hackers join terrorists on the list of global threats, and as top generals warn of a coming cyber war, few books are more timely and enlightening than Dark Territory: The Secret History of Cyber War, by Slate columnist and Pulitzer Prize–winning journalist Fred Kaplan... [MORE]


ADVERTISEMENT

ADVERTISEMENT

Support CSWW

Please help improve CSWW by providing us with your comments, concerns, and questions at our FEEDBACK page.

Editor, CSWW

Kurt Brindley is a retired U.S. Navy Senior Chief who specialized in the fields of tele-communications and C4SRI systems Upon retirement from the navy, he spent nearly a decade as a defense industry consultant. He now writes full time... [MORE]


ADVERTISEMENT

Now in development for film by 20th Century Fox, award-winning CyberStorm depicts, in realistic and sometimes terrifying detail, what a full scale cyber attack against present-day New York City might look like from the perspective of one family trying to survive it... [MORE]