Report Profiles Top Software Security Coding Errors
- By Jabulani Leffall
- February 18, 2010
A new study describes the top 25 programming errors that can open up security holes in software.
The free study, published on Wednesday, lists oversights that can lead to denial-of-service attacks, data theft, or control of a system by hackers. The document, "2010 CWE/SANS Top 25 Most Dangerous Programming Errors," aims to educate programmers and software users about the security risks that may arise from such errors.
The study is a collaboration between the nonprofit MITRE Corp., which manages cyber security research for the U.S. Department of Homeland Security, and the SysAdmin, Audit, Network and Security (SANS) Institute. It includes information collected by the SANS research group as well as MITRE's Common Weakness Enumeration data.
The top five programming errors include:
- "Failure to preserve Web page structure," which leads to cross-site scripting attacks;
- "Improper sanitization of special elements used in an SQL command," which leads to SQL injection attacks;
- "Buffer copy without checking size of input," leading to buffer overflow problems;
- "Cross-site request forgery," where Web server requests can masquerade as if from another user; and
- "Improper access control," which can lead to compromised user authorizations on a system.
Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. To ward off such attacks, the report recommends using frameworks and libraries to control output, including "Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket." Programmers should use strong character encoding and set the browser cookie session to HttpOnly.
SQL injection attacks come via "improper sanitation" during the execution of SQL commands, according to the report. They can change the logic of queries used for authentication, allowing security to be compromised. The report suggests using "persistence layers such as Hibernate or Enterprise Java Beans." Developers should implement a whitelist of acceptable query strings for the application, rejecting all strings that don't conform.
Buffer and stack overflows are old and common problems for coders. The program tries to move more data into a buffer than the buffer can hold. The report recommends using languages with built-in memory management, such as Perl and Java. Programmers can inadvertently disable the overflow protections that exist in other languages, such as C#. They should double check the buffer size in memory when writing their applications.
Cross-site request forgery allows requests to a Web server to masquerade as if from another user. It can lead to "data disclosure or unintended code execution," according to the report. To ward off such exploits, anti-CSRF packages should be used, such as OWASP CSRFGuard.
Access control problems in software can lead to information leaks and other security problems. Programmers should set privileges and map roles associated with data access and software functions.
Roger Halbheer, Microsoft's head of software security for Europe, the Middle East and Africa, called the report "scary" in a blog post. Microsoft -- which is no stranger to patching security vulnerabilities in its own software -- has implemented an in-house development approach to ensuring software is properly built called the "security development lifecycle." Halbheer recommended using that approach for all organizations developing their own software.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.