Will Top 25 list of software errors rescue you from rotten software?

NSA, intelligence community firmly behind software security effort

Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software? That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.

Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software?

That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.

With the Top 25 list — which sprang from an effort that began with the Department of Homeland Security seeking to pinpoint which software weaknesses lead to security breaches--there's optimism that software buyers will be able to use this common set of definitions to ask that software vendors fix their mistakes without major legal or financial fuss.

Software security

The Top 25 programming errors

1.Improper input validation
2.Improper encoding or escaping of output
3.Failure to preserve SQL query structure (SQL injection)
4.Failure to preserve Web page structure (cross-site scripting)
5.Failure to preserve operating system command structure (OS command injection)
6.Cleartext transmission of sensitive information
7.Cross-site request forgery
8.Race condition
9.Error message information leak
10.Failure to constrain operations within the bounds of a memory buffer
11.External control of critical state data
12.External control of file name or path
13.Untrusted search path
14.Failure to control generation of code (code injection)
15.Download of code without integrity check
16.Improper resource shutdown or release
17.Improper initialization
18.Incorrect calculation
19.Porous defenses
20.Use of a broken or risky cryptographic algorithm
21.Hard-coded password
22.Insecure permission assignment for critical resource
23.Use of insufficiently random values
24.Execution with unnecessary privileges
25.Client-side enforcement of server-side security

For in-depth definitions about these Top 25 software-programming errors, visit the Web sites of The SANS Institute and MITRE Corp. at www.sans.org and www.mitre.org

SOURCE: SANS and MITRE

This list of techie goof-ups starts with "Improper Input Validation" and ends with "Client-Side Enforcement of Server-Side Security." Vendors may simply ignore the list to brush off concerns and evade responsibility, it's pointed out. But some, including New York State, are expected to lead the way in making the Top 25 a big topic of discussion during the software-acquisition process.

"What keeps me up at night? Application vulnerabilities," says Will Pelgrin, CISO for the State of New York, and director of the New York State office of cybersecurity and critical infrastructure. Vulnerabilities laid out so neatly in the Top 25 list are "increasingly the vector for attacks," he notes.

Pelgrin strongly supports the effort behind the list, which was pulled together with both industry and government input by MITRE Corp. in its "Common Weakness Enumeration" project.

The list was culled from about 700 fundamental software issues MITRE identified over three years. The basic idea for the project is said to have started with the U.S. government's National Security Agency (NSA).

New York State is not only going to use the list for educational purposes with its own software developers, it's also going to be the "application-security guidelines best practices" for any application developers it hires.

"It's a concrete way to give application developers what needs to be looked at being eliminated before an application goes into production," Pelgrin says.

The Top 25 also is likely to make its way into some contractual negotiations for application purchases elsewhere. That's a move strongly supported by Alan Paller, director of research at SANS Institute, which helped organize the Top 25 effort.

"This is language you really need to put into your contract," says Paller, who adds that some software vendors are charging their customers extra to fix serious errors in software that the customer brings to their attention.

By way of example, he says Siemens had paid about 100,000 Euros for a custom application which it discovered had "critical security flaws," but the vendor refused to fix them until it was paid an extra 145,000 Euros.

Paller acknowledges that previous efforts to identify software weaknesses -- such as the SANS Top Twenty list --have not been hugely successful in getting vendors to develop less-buggy security. But the fact that the NSA and other government entities have fostered the Top 25 list gives Paller optimism that the list and its definitions could become a tool to greatly improve the customer's playing field with vendors.

The list is getting attention within the intelligence community, including the NSA and the Office of the Director of National Intelligence, which is supposed to coordinate efforts across agency lines.

Margie Gilbert, deputy with the Comprehensive National Cyber Initiative in the Office of the Director of National Intelligence, says the list represents "a consensus of definition, the definition of the problems, the taxonomy of what we're talking about."

The federal government will be encouraged to use the list as a "tool" for obtaining software that's free of the bugs that can be exploited and hence present security threats, she says.

Whether or not the federal government makes reference to the Top 25 mandatory in software dealings may depend on the experience of places like New York State that are leading the way in including it in contractual arrangements, she adds.

The normally taciturn NSA took the somewhat unusual step of issuing a statement on the software errors list.

"The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator-centered view [detect/respond/patch] to a software engineering-centered view [design/implement/verify]," said Konrad Vesey, speaking for NSA's Information Assurance Directorate. "When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence in product development is likely to emerge. The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."

"Weaknesses are the root cause behind all the things we keep patching," says Bob Martin, CWE project leader at MITRE, which spearheaded the government project. He points out that the Top 25 is more than just a list — it also includes a lot of information on how to prevent and mitigate weaknesses, as well as pattern of attacks.

"In 2010, there will be a Top 25 and maybe some new things on there we don't know about today," Martin concludes.

Learn more about this topic

Top 25 software screw-ups

Vendors participating in the Common Weakness Enumeration effort

SANS solves mystery of mass Web-site infections

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies