Want safer software? Start with this list
The ability to analyze source code and identify risky behavior in applications is crucial to software assurance, but so is the policy behind it. It is impossible -- and unnecessary -- to catch every weakness in an application. It’s better to focus on what is important during the development, acquisition and testing processes. But how do you know what’s important?
Last month, a coalition of experts from more than 30 companies, organizations and agencies reached a consensus on the top 25 programming weaknesses and published the list in the hopes that developers and users could increase software security by avoiding easily exploited errors.
The SANS Institute and Mitre spearheaded the list’s development, with the support of the National Security Agency and the Homeland Security Department. The weaknesses are not new; the experts culled them from the more than 700 entries in the Common Weakness Enumeration database Mitre maintains. What is new is the agreement that removing those 25 weaknesses from software code would also remove most of the vulnerabilities that criminals, spies and other hackers exploit.
Although the discussion was heated, SANS Institute Director Mason Brown said, “there appears to be broad agreement on the programming errors.”
The list, which will be updated regularly, is available at www.sans.org/top25errors and cwe.mitre.org/top25. The list’s developers said they believe it will be especially useful for:
- Software acquisition. Vendors could be required to certify that they have addressed weaknesses in their products.
- Software development. Coders would have a standard against which to measure their work.
- Education. Colleges and universities would have a basis for teaching students how to design secure software.
- Employment. Employers would have a standard by which to gauge the qualifications of contractors or in-house developers.