Top 25 List of computer code security glitches
I have joust found through ACM mailing list about recently assembled list of 25 security vulnerability list for software engineers and code programmers in particular. First, the full list DOWNLOAD PDF.
www.sans.org/top25
cwe.mitre.org/top25/
Category: Insecure Interaction Between Components (9 errors)
Category: Risky Resource Management (9 errors)
Category: Porous Defenses (7 errors)
The list itself is not something new. The enlisted pitfall scenarios and prevention strategies are with focus on coding standard. Design patterns for designing secure code is barely mentioned in the document. One can not see one of the most important code security principle, and security in general, the one of ‘least privilege‘.
What could improve the popularity of the list is a code base samples, especially c/c++, to illustrate each one of the points. This will improve broader acceptance and strict adherence to the principles proposed.
Regarding tools and automated checks, again the list provided by SANS:http://www.sans.org/whatworks/
There were already quite a few good practice guidelines including , if not all, many of the TOP 25 points here. What really makes this effort to stand out from the crowd is the comprehensive list of authority figures in the industry. This list could easily be used for professional QA of your security and as a ground prove of product security upon final delivery. As you can see here: http://www.sans-ssi.org/certification/ + EXAMs samples C/C#/java. Sans.org has already provisioned a certificate program for code practitioners involved in high-quality secure products for the Enterprise and the Government. SANS is working with the support of US Department of Homeland Security’s National Cyber Security Division, this left alone gives the framework an importance in any project requirements and deliverables documents associated with.
In the formation of the list a lot of industry experts companies and university research groups took place:
Robert C. Seacord, CERTPascal Meunier, CERIAS, Purdue University Matt Bishop, University of California, Davis Kenneth van Wyk, KRvW Associates Masato Terada, Information-Technology Promotion Agency (IPA), (Japan) Sean Barnum, Cigital, Inc. Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation Adam Hahn, MITRE Jeff Williams, Aspect Security Carsten Eiram, Secunia Josh Drake, iDefense Labs at VeriSign, Inc. Chuck Willis, MANDIANT Michael Howard, Microsoft Bruce Lowenthal, Oracle Corporation Mark J. Cox, Red Hat Inc. Jacob West, Fortify Software Djenana Campara, Hatha Systems James Walden, Northern Kentucky University Frank Kim, ThinkSec Chris Eng and Chris Wysopal, Veracode, Inc. Ryan Barnett, Breach Security Antonio Fontes, New Access SA, (Switzerland) Mark Fioravanti II, Missing Link Security Inc. Ketan Vyas, Tata Consultancy Services (TCS) Lindsey Cheng, Ian Peters and Tom Burgess, Secured Sciences Group, LLC Hardik Parekh and Matthew Coles, RSA - Security Division of EMC Corporation Mouse Ivan Ristic Apple Product Security Software Assurance Forum for Excellence in Code (SAFECode) Core Security Technologies Inc. Depository Trust & Clearing Corporation (DTCC) The working group at the first OWASP ESAPI Summit National Security Agency (NSA) Information Assurance Division Department of Homeland Security (DHS) National Cyber Security Division
Leave a Reply