• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Dangerous coding errors revealed

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Dangerous coding errors revealed

    Open Season on Programmers...the new Terrorists....

    The US National Security Agency has helped put together a list of the world's most dangerous coding mistakes.

    The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.

    Experts say many of these errors are not well understood by programmers.

    According to the SANS Institute in Maryland, just two of the errors led to more than 1.5m web site security breaches during 2008.

    It is thought that this is the first time the industry has reached agreement on the worst things that can creep into software as it is being written.

    More than 30 organisations, including the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document. THE TOP 25 MOST DANGEROUS PROGRAMMING ERRORS
    CWE-20:Improper Input Validation
    CWE-116:Improper Encoding or Escaping of Output
    CWE-89:Failure to Preserve SQL Query Structure
    CWE-79:Failure to Preserve Web Page Structure
    CWE-78:Failure to Preserve OS Command Structure
    CWE-319:Cleartext Transmission of Sensitive Information
    CWE-352:Cross-Site Request Forgery
    CWE-362:Race Condition
    CWE-209:Error Message Information Leak
    CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
    CWE-642:External Control of Critical State Data
    CWE-73:External Control of File Name or Path
    CWE-426:Untrusted Search Path
    CWE-94:Failure to Control Generation of Code
    CWE-494: Download of Code Without Integrity Check
    CWE-404:Improper Resource Shutdown or Release
    CWE-665:Improper Initialization
    CWE-682:Incorrect Calculation
    CWE-285:Improper Access Control
    CWE-327:Use of a Broken or Risky Cryptographic Algorithm
    CWE-259:Hard-Coded Password
    CWE-732:Insecure Permission Assignment for Critical Resource
    CWE-330:Use of Insufficiently Random Values
    CWE-250:Execution with Unnecessary Privileges
    CWE-602:Client-Side Enforcement of Server-Side Security
    Source: SANS Institute

    "The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," said Chris Wysopal, chief technology officer with Veracode.

    "There appears to be broad agreement on the programming errors," says SANS director, Mason Brown, "Now it is time to fix them."

    "We need to make sure every programmer knows how to write code that is free of the top 25 errors."

    "Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors," he said.

    Patrick Lincoln, director of the Computer Science Laboratory at SRI International, told the BBC that if programmers prevented these errors appearing in their code, it would deter the majority of hackers.

    "This list is primarily for people who have first responsibility for designing a system. Veteran programmers have probably learnt the hard way whereas a brand new programmer will be making more basic errors."

    "The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent - ankle biter's if you will - would be deterred from breaking in."

    Previously, most advice has focused on vulnerabilities that can result from programming errors. The top 25 list examines the actual programming errors themselves.

    The US Office of the Director of National Intelligence, the principal adviser to the President, the National Security Council and the Homeland Security Council also lent their support to the list.

    In a statement, they said: "We believe that integrity of hardware and software products is a critical for cyber security. "

    "Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations."

    "The top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."


    Beeb Link Here
    Last edited by Board Game Geek; 13 January 2009, 18:05.
    Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience.

    C.S. Lewis

    #2
    Originally posted by Board Game Geek View Post
    CWE-494ownload of Code Without Integrity Check
    I don't even know what an "ownload" is, so I've no idea why you think it's so funny.

    Comment


      #3
      Originally posted by Board Game Geek View Post
      CWE-20:Improper Input Validation
      CWE-116:Improper Encoding or Escaping of Output
      CWE-89:Failure to Preserve SQL Query Structure
      CWE-79:Failure to Preserve Web Page Structure
      CWE-78:Failure to Preserve OS Command Structure
      CWE-319:Cleartext Transmission of Sensitive Information
      CWE-352:Cross-Site Request Forgery
      CWE-362:Race Condition
      CWE-209:Error Message Information Leak
      CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
      CWE-642:External Control of Critical State Data
      CWE-73:External Control of File Name or Path
      CWE-426:Untrusted Search Path
      CWE-94:Failure to Control Generation of Code
      CWE-494ownload of Code Without Integrity Check
      CWE-404:Improper Resource Shutdown or Release
      CWE-665:Improper Initialization
      CWE-682:Incorrect Calculation
      CWE-285:Improper Access Control
      CWE-327:Use of a Broken or Risky Cryptographic Algorithm
      CWE-259:Hard-Coded Password
      CWE-732:Insecure Permission Assignment for Critical Resource
      CWE-330:Use of Insufficiently Random Values
      CWE-250:Execution with Unnecessary Privileges
      CWE-602:Client-Side Enforcement of Server-Side Security
      That reads like the results of my last code review
      Where are we going? And what’s with this hand basket?

      Comment


        #4
        If that is considered by the yanks as the 25 worst coding errors then it's small wonder that windows is such a steaming pile of horse droppings.

        In the spirit of Anglo-US relations we ought to educate them on what the real top 25 coding errors are, or just give it to them for free and let them go claiming it as their own and pay for the privilege of buying it back like RADAR, RSA algorithm, SQL ...

        Comment


          #5
          I found this in the source code of client:

          try
          {

          //do stuff
          } catch (OutOfMemoryError oome)
          {}

          "Experience hath shewn, that even under the best forms of government those entrusted with power have, in time, and by slow operations, perverted it into tyranny. "


          Thomas Jefferson

          Comment


            #6
            Originally posted by Ruprect View Post
            I found this in the source code of client:

            try
            {

            //do stuff
            } catch (OutOfMemoryError oome)
            {}

            That "//do stuff" will never work.
            Try: "do stuff until stop" - should do the job.
            Bored.

            Comment


              #7
              WTF does "CWE-94:Failure to Control Generation of Code" actually mean.

              You turn your back for 10 minutes and the CVS repository has doubled in size? Those one million monkeys you hired last week are writing too much code ?

              Anyway I have seen so much crap code now that I am beyond caring. If people want their web system to write to flat files I really could not give a flying one these days.

              Comment


                #8
                Originally posted by Ruprect View Post
                I found this in the source code of client:

                try
                {

                //do stuff
                } catch (OutOfMemoryError oome)
                {}

                Saw this at my latest client:

                Code:
                try {
                    //do stuff
                } catch (Throwable t) {
                }
                The try/catch block was at the outermost level in a servlet, i.e. the "do stuff" bit included the whole processing of the HTTP request.

                Comment


                  #9
                  Originally posted by bored View Post
                  Saw this at my latest client:

                  Code:
                  try {
                      //do stuff
                  } catch (Throwable t) {
                  }
                  The try/catch block was at the outermost level in a servlet, i.e. the "do stuff" bit included the whole processing of the HTTP request.
                  Still, keeps us in a job eh?
                  "Experience hath shewn, that even under the best forms of government those entrusted with power have, in time, and by slow operations, perverted it into tyranny. "


                  Thomas Jefferson

                  Comment


                    #10
                    Where are

                    ‘CWE-1: Outsource coding to Bob Shawadiwadi’
                    and
                    ‘CWE-2: Outsource functional testing to his brother Bill Shawadiwadi’?
                    And what exactly is wrong with an "ad hominem" argument? Dodgy Agent, 16-5-2014

                    Comment

                    Working...
                    X