Why Top 25 Lists Still Matter

The MITRE and SANS institute in an international collaboration effort have recently come up with an excellent list of security errors: CWE/SANS TOP 25 Most Dangerous Programming Errors.  They are broken up into three main categories: “Insecure Interaction Between Components”, “Risky Resource Management” and “Porous Defenses”. Most of the entries are very generic and represent modern embodiments of well-known attack vectors. Ivan Arce, CTO of Core Security Technologies Inc. provides the most insightful testimonial from the SANS website: “This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities …”

Gary McGraw summarizes some of his complaints with the list in his post: Software [In]security: Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work. Gary’s 2nd item reads: “… Top ten lists tend to focus on bugs, to the detriment of any attention for design-level problems.”

I would disagree with Gary and argue that real world examples of attacks are what actually drive security design best practice. From a theoretical standpoint an attack must be conceived before a programmer can design defensively against it. For example the SANS item CWE-426: Untrusted Search Path reads “If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing.” Once a programmer is aware of this type of attack it drives future design and care of externally configurable application start up state. Other items on the SANS list equally drive design choices, such as item CWE-602: Client-Side Enforcement of Server-Side Security.

Gary goes on to state: “.. Bug lists change with the prevailing technology winds…”. Really? The SANS top 25 list is actually quite generic, save a few items. The following items are very general, have been known for decades, and continue to be relevant and problematic security issues: “External Control of Critical State Data”, “Incorrect Calculation”, “Improper Input Validation”, “Failure to Preserve OS Command Structure”, “Cleartext Transmission of Sensitive Information”, “Error Message Information Leak” and “Improper Encoding or Escaping of Output”. All of these items from the top 25 list represent general attach vectors relevant to a wide variety of programming languages and domains.

If you haven’t already I would highly recommend checking out the CWE/SANS TOP 25 Most Dangerous Programming Errors. It represents a great base of common attacks. Learning these should be a good step towards thinking defensively, designing defensively and coding defensively.