Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software? That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.
Will the Top 25 worst software errors list released Monday be able to rescue customers from rotten software?
That's the palpable hope from some security managers who have backed the government and industry effort to identify the worst programming mistakes that lead to patch-management headaches and even cybercrime and cyber espionage.
With the Top 25 list — which sprang from an effort that began with the Department of Homeland Security seeking to pinpoint which software weaknesses lead to security breaches--there's optimism that software buyers will be able to use this common set of definitions to ask that software vendors fix their mistakes without major legal or financial fuss.
The Top 25 programming errors
This list of techie goof-ups starts with "Improper Input Validation" and ends with "Client-Side Enforcement of Server-Side Security." Vendors may simply ignore the list to brush off concerns and evade responsibility, it's pointed out. But some, including New York State, are expected to lead the way in making the Top 25 a big topic of discussion during the software-acquisition process.
"What keeps me up at night? Application vulnerabilities," says Will Pelgrin, CISO for the State of New York, and director of the New York State office of cybersecurity and critical infrastructure. Vulnerabilities laid out so neatly in the Top 25 list are "increasingly the vector for attacks," he notes.
Pelgrin strongly supports the effort behind the list, which was pulled together with both industry and government input by MITRE Corp. in its "Common Weakness Enumeration" project.
The list was culled from about 700 fundamental software issues MITRE identified over three years. The basic idea for the project is said to have started with the U.S. government's National Security Agency (NSA).
New York State is not only going to use the list for educational purposes with its own software developers, it's also going to be the "application-security guidelines best practices" for any application developers it hires.
"It's a concrete way to give application developers what needs to be looked at being eliminated before an application goes into production," Pelgrin says.
The Top 25 also is likely to make its way into some contractual negotiations for application purchases elsewhere. That's a move strongly supported by Alan Paller, director of research at SANS Institute, which helped organize the Top 25 effort.
"This is language you really need to put into your contract," says Paller, who adds that some software vendors are charging their customers extra to fix serious errors in software that the customer brings to their attention.
By way of example, he says Siemens had paid about 100,000 Euros for a custom application which it discovered had "critical security flaws," but the vendor refused to fix them until it was paid an extra 145,000 Euros.
Paller acknowledges that previous efforts to identify software weaknesses -- such as the SANS Top Twenty list --have not been hugely successful in getting vendors to develop less-buggy security. But the fact that the NSA and other government entities have fostered the Top 25 list gives Paller optimism that the list and its definitions could become a tool to greatly improve the customer's playing field with vendors.
The list is getting attention within the intelligence community, including the NSA and the Office of the Director of National Intelligence, which is supposed to coordinate efforts across agency lines.
Margie Gilbert, deputy with the Comprehensive National Cyber Initiative in the Office of the Director of National Intelligence, says the list represents "a consensus of definition, the definition of the problems, the taxonomy of what we're talking about."
The federal government will be encouraged to use the list as a "tool" for obtaining software that's free of the bugs that can be exploited and hence present security threats, she says.
Whether or not the federal government makes reference to the Top 25 mandatory in software dealings may depend on the experience of places like New York State that are leading the way in including it in contractual arrangements, she adds.
The normally taciturn NSA took the somewhat unusual step of issuing a statement on the software errors list.
"The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator-centered view [detect/respond/patch] to a software engineering-centered view [design/implement/verify]," said Konrad Vesey, speaking for NSA's Information Assurance Directorate. "When consumers see that most vulnerabilities are caused by a mere 25 weaknesses, a new standard for due diligence in product development is likely to emerge. The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."
"Weaknesses are the root cause behind all the things we keep patching," says Bob Martin, CWE project leader at MITRE, which spearheaded the government project. He points out that the Top 25 is more than just a list — it also includes a lot of information on how to prevent and mitigate weaknesses, as well as pattern of attacks.
"In 2010, there will be a Top 25 and maybe some new things on there we don't know about today," Martin concludes.