The SDL and the CWE/SANS Top 25 Most Dangerous Programming Errors 2010

 

Hi, Michael here,

As you might be aware, a collaboration of industry experts and academia worked together on the CWE/SANS Top 25 Most Dangerous Programming Errors for a second year to define and describe the most significant programming errors that can lead to some of the most serious software vulnerabilities. As we did last year, Microsoft was involved helping define the CWE/SANS Top 25 for 2010.

As the process to define the Top 25 started to draw to a close and the draft top 40 candidates were selected to be whittled down to 25, we decided, as we did in 2009, to see how the SDL processes and tasks map to the Top 25. 

As we expected, the SDL maps very nicely to the 2010 Top 25, just as it did in 2009. Every one of the Top 25 is covered by one or more SDL requirements, and most of them are also covered by an automated SDL verification tool or secure coding library. Even CWE 98, “PHP File Inclusion,” is covered by the SDL in our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft!

The reason that we address issues like PHP file inclusion in the SDL is that we don’t simply wait for new vulnerability taxonomies to be released and then rush to add mitigations to our security processes; rather, we structure the SDL to provide developers with fundamentally sound, secure programming practices. As a result, we cover not just the known vulnerabilities of today (like the Top 25) but also many of the unknown vulnerabilities that will be discovered tomorrow. The fact that all of the Top 25 are addressed by the SDL is a great validation, but it is the result of the content of our process and not the cause.

CWE

Title

Education

Manual Process

Library, tool or code gen Fix?

Threat Model

120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Y

Y

Y

 

129

Improper Validation of Array Index

Y

 

Y

 

131

Incorrect Calculation of Buffer Size

Y

 

Y

 

805

Buffer Access with Incorrect Length Value

Y

 

Y

 

209

Information Exposure Through an Error Message

Y

Y

Y

 

754

Improper Check for Exceptional Conditions

Y

 

 

 

22

Path Traversal

Y

 

Y

 

98

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)

Y

 

 

 

434

Unrestricted File Upload

Y

 

 

Y

770

Allocation of Resources Without Limits or Throttling

Y

 

 

 

78

Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)

Y

 

Y

 

79

Failure to Preserve Web Page Structure (‘Cross site Scripting’)

Y

Y

Y

 

89

Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)

Y

Y

Y

 

352

Cross Site Request Forgery (CSRF)

Y

 

Y

 

362

Race Condition

Y

 

 

 

494

Download of Code Without Integrity Check

 

 

 

Y

601

URL Redirection to Untrusted Site (‘Open Redirect’)

Y

 

Y

 

190

Integer Overflow or Wraparound

Y

 

Y

 

807

Reliance on Untrusted Inputs in a Security Decision

Y

 

 

 

285

Improper Access Control (Authorization)

Y

Y

 

Y

306

Missing Authentication for Critical Function

Y

 

 

 

311

Missing Encryption of Sensitive Data

Y

 

 

 

327

Use of a Broken or Risky Cryptographic Algorithm

Y

Y

Y

 

732

Incorrect Permission Assignment for Critical Resource

Y

Y

 

 

798

Use of Hard coded Credentials

Y