The United States National Security Agency (NSA) has released a list of the top 25 coding errors that have landed coders and webmasters into hot water. The SANS institute located in Maryland reported that "1.5 million websites were breached" because of two types of coding errors that are on the list. These errors are so malicious and commonly made that the NSA, the Department of Homeland Security, Microsoft, Symantec and many more published a list, a first of its kind, to help out developers as they are coding.
The list is hoped to help those coders and upcoming coders from making the mistakes that veteran coders learned the hard way. With more awareness of common, but serious, coding errors everyone will benefit from the knowledge and consumer's data will remain safe.
- CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security
CWE-602 :
Erm, the errors aren't malicious. The exploit of the error is.
Additionally, some of them should be removed by the time testing is complete. Input validation should be tested extremely thoroughly, SQL injection should be impossible if you've used good practice techniques (i.e. using the SqlCommand class properly in .NET).
If these are cropping up in NSA applications, then they need new programmers.
I am sure I probably cover most, if not all of those, for those i could understand were ticked!
Honestly though, from consulting on web projects and security in my day to day work, it never fails to surprise me the poor standards of coding out there. I've worked with major household names that have SQL injection hacks in their admin panels!
I think it's simply a case of too many agencies out there providing 'web pages' and 'software', and the markup just isn't there anymore in a lot of cases to take security seriously.
Honestly though, from consulting on web projects and security in my day to day work, it never fails to surprise me the poor standards of coding out there. I've worked with major household names that have SQL injection hacks in their admin panels!
I think it's simply a case of too many agencies out there providing 'web pages' and 'software', and the markup just isn't there anymore in a lot of cases to take security seriously.
Security is time consuming and cost money. I don't think it's a matter of taking security seriously. It's a matter of wanting to pay for security or not.
Doing a non secure form from the ground takes few time for an experienced programmer. Doing a full fledged secure form from the ground cost more money.
Of course you can re-use code. But creating an infrastructure to re-use your code is also time consuming and also cost money.
Lot of companies i worked for don't want to invest the time and money to implement version control, libraries of code, coding practice and such.
Programmers work on their project not knowing what others programmers did for others projects. You often see the same functions doing exactly he same thing in 2 different project and coded twice. Duplication of code. Bad coding practice or coding practice that are not universal accros the company. Mutiple versions of the same program implemented in different workspaces.
Few companies want to invest the time and money necessary to have a efficient and secure infrastructre.
I knew the web was racist! </sarcasm>
CWE-209:Error Message Information Leak
CWE-319:Cleartext Transmission of Sensitive Information
Those three, I'd say, aren't exactly "big problems". Depends on what they mean by them though.
"Error Message Information Leak". The problem is, as a software developer, it's impossible to catch and stop every single error from displaying. Sometimes there is absolutely no way to "prevent" errors. Fatal PHP errors for example are only controllable from the php.ini and can't be routed differently from the application itself.
If on the other hand they mean displaying the data of a supposedly private file with sensitive information (i.e. a config.php) through a traceback for debugging information for the developer, then yeh. I can see their point.
"CWE-319:Cleartext Transmission of Sensitive Information"
To transmit sensitive data privately you also need something like ssl which many hosts may or may not provide and then direct support in the software for the 'https' extension. Unless of course they mean storing things like passwords in cleartext in the database, then yes, that's an obvious.
As for Race Conditions, I've never seen those lead to anything that could be escalated to a break in actual security. Usually Race Conditions only happen to bypass mechanisms like having to wait x minutes after a search so the server doesn't "overload" if the person was attempting a DoS attack.
The rest seem pretty obvious for a decently seasoned web developer.
There's no way in Apache to handle HTTP 500-100 errors like IIS can? Or does the PHP engine not return correct headers when a process fails?
I'm sure PHP can do it but this is beside the point, this is not specific to web programming, this is about all software programming.
Since I work for a company that does development for other businesses, the responsibility falls upon the customer to identify security measurements needed, request it, and understand the additional manhours needed. Since cost/time are always the issue, they never bother...so neither do I.
Since I work for a company that does development for other businesses, the responsibility falls upon the customer to identify security measurements needed, request it, and understand the additional manhours needed. Since cost/time are always the issue, they never bother...so neither do I.
Wow. Way to represent your company.
The responsibility to point out obvious flaws before coming to an agreement also goes to whoever is working out contract details before any work gets done. Sounds like your company's method of operating is to use any valid scapegoat to cover its own ass.
I now dare you to let us know your company's name.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.