List creates software security squabble
Is the CWE Top 25 list a silver bullet for software security? No. But it is ammunition.
The release earlier this month of a consensus list of the most serious programming errors to be avoided has garnered quite a bit of attention, some of it predictably negative. Bloggers who are amusing themselves by dissing the effort seem to be missing the forest for the trees. They dismiss the list because it is not an absolute and perfect solution to software security, and ignore the benefits it might provide.
Development of the list, available online, was managed by the Sans Institute and Mitre Corp. with support from the National Security Agency and the Homeland Security Department’s National Cyber Security Division. It represents a consensus of the most significant errors on which the IT community should concentrate. The idea is that an industrywide consensus, culled from the more than 700 errors detailed in the Common Weakness Enumeration database, can be used to standardize requirements for software procurements, to prioritize remediation of legacy applications and to help educate coders.
The detractors are unhappy essentially because no Top-N list is all-inclusive. The whole idea of these lists is that some things get left out, and that upsets some people.
“Security is a big deal, it’s not a list,” says Gwyn Fisher, chief technology officer of Klockwork in his Klocktalk blog. Yes, security is a big deal. But Fisher makes a big assumption in declaring that “what’s outside that list is just as important as what made the cut.” The compilers of the most recent list, which represents a broad range of the people in the IT community, apparently disagree. They decided that what is inside the list is more important.
Are they right? That is open to argument. But to summarily dismiss the effort simply because the list included some elements and excluded others is unfair. That’s the nature of a list.
Gary McGraw, chief technology officer of Cigital, published in his blog the “Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work." He basically argues that what he calls “bug parades” focus too narrowly on a set of flaws and obscures the broader issues of security and good coding. “But lists change with the prevailing technology winds,” he says, and often are based on misleading or bad metrics. “Using the CWE/SANS top 25” or any other top list “to drive your software security initiative will be a major mistake.”
Maybe. I suppose it depends on what you mean by “driving your software security initiative.” If you mean using the list exclusively and ignoring other tools, techniques and processes, then yes, that would be a mistake. If you mean taking advantage of a standardized list of a manageable size to prioritize some efforts, I don’t think that is a mistake at all.
The most fatal programming error would be to believe that the CWE/SANS list is a cure-all for software security. It is not. The folks at SANS may be guilty of overselling the list when it was released, saying, “it is going to change the way organizations buy software, right away,” and suggesting that it provided a whole new class of tools not previously available. But that does not mean it will not be a useful tool.
Fisher bemoans that fact that serious hackers are capable of exploiting more than just the top 25 errors, and that eliminating the top 25 will deter only "script kiddies" and "ankle-biters." “All this money being spent on what? A barrier to deter script kiddies. ...”
Of course, any Top-N list is like a rail fence: Once you remove the top rail, you find another top rail immediately underneath it. But serious hackers are like everyone else. If you leave the well-known, easy-to-exploit flaws in programs, they will continue to pick this low-hanging fruit. If you remove the top 10 or 25 flaws, a new top list will appear, but it will force the bad guys to refocus their efforts on new areas that might not be as easy to exploit.
Security is a big deal. And it is a never-ending process that no list will be able to halt. But there is no reason we should not use all the ammunition we can get just because a bullet doesn’t happen to be silver.