News

Report Profiles Top Software Security Coding Errors

A new study describes the top 25 programming errors that can open up security holes in software.

The free study, published on Wednesday, lists oversights that can lead to denial-of-service attacks, data theft, or control of a system by hackers. The document, "2010 CWE/SANS Top 25 Most Dangerous Programming Errors," aims to educate programmers and software users about the security risks that may arise from such errors.

The study is a collaboration between the nonprofit MITRE Corp., which manages cyber security research for the U.S. Department of Homeland Security, and the SysAdmin, Audit, Network and Security (SANS) Institute. It includes information collected by the SANS research group as well as MITRE's Common Weakness Enumeration data.

The top five programming errors include:

  1. "Failure to preserve Web page structure," which leads to cross-site scripting attacks;
  2. "Improper sanitization of special elements used in an SQL command," which leads to SQL injection attacks;
  3. "Buffer copy without checking size of input," leading to buffer overflow problems;
  4. "Cross-site request forgery," where Web server requests can masquerade as if from another user; and
  5. "Improper access control," which can lead to compromised user authorizations on a system.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. To ward off such attacks, the report recommends using frameworks and libraries to control output, including "Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket." Programmers should use strong character encoding and set the browser cookie session to HttpOnly.

SQL injection attacks come via "improper sanitation" during the execution of SQL commands, according to the report. They can change the logic of queries used for authentication, allowing security to be compromised. The report suggests using "persistence layers such as Hibernate or Enterprise Java Beans." Developers should implement a whitelist of acceptable query strings for the application, rejecting all strings that don't conform.

Buffer and stack overflows are old and common problems for coders. The program tries to move more data into a buffer than the buffer can hold. The report recommends using languages with built-in memory management, such as Perl and Java. Programmers can inadvertently disable the overflow protections that exist in other languages, such as C#. They should double check the buffer size in memory when writing their applications.

Cross-site request forgery allows requests to a Web server to masquerade as if from another user. It can lead to "data disclosure or unintended code execution," according to the report. To ward off such exploits, anti-CSRF packages should be used, such as OWASP CSRFGuard.

Access control problems in software can lead to information leaks and other security problems. Programmers should set privileges and map roles associated with data access and software functions.

Roger Halbheer, Microsoft's head of software security for Europe, the Middle East and Africa, called the report "scary" in a blog post. Microsoft -- which is no stranger to patching security vulnerabilities in its own software -- has implemented an in-house development approach to ensuring software is properly built called the "security development lifecycle." Halbheer recommended using that approach for all organizations developing their own software.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube