Security Strategies Alert By M. E. Kabay
The critical importance of integrating security into programming is obvious to anyone who thinks about it, and it has been the subject of countless minatory or sometimes pleading articles. Google "secure programming" as one example of appropriate keywords and you’ll find nearly a million hits.
Back in 2001, I wrote five columns on the subject which I later collected and updated as the short paper “Programming for Security” that’s currently on my Web site.
Microsoft’s Michael Howard and Steve Lipner published Writing Secure Code, Second Edition (2003), The Security Development Lifecycle (2006); and Michael Howard and David LeBlanc wrote Writing Secure Code for Windows Vista (2007).
Now the National Security Agency, working with MITRE Corp., SANS, and dozens of industry experts from many other organizations, has published a valuable list of the top 25 most dangerous programming errors. The best description of the project that I have found is the SANS Institute report. SANS provides a detailed summary of the issues, including this introduction:
"Today [January 12, 2009] in Washington, D.C., experts from more than 30 U.S. and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
"The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."
SANS provides a list of the errors with a link from each to the MITRE database called the Common Weakness Enumeration (CWE). That site explains:
"International in scope and free for public use, CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design."
The list itself divides the errors into three major categories:
• Insecure interaction between components.
• Risky resource management.
• Porous defenses.
Readers will find the threat model that was used in ranking the weaknesses particularly interesting. It presupposes a relatively skilled hacker intent on data theft or theft of resources and willing to invest at least 20 hours per target software package. The full process used in selecting the top 25 is documented and there’s also a list of 23 weaknesses that almost made it into the list.
This research project will be enormously valuable to working programmers, instructors in computer science, computer engineering and information assurance programs, and students in those disciplines.
No comments:
Post a Comment