Abstract Confusions

Complexity is not a cause of confusion. It is a result of it.

Application Security: Most Dangerous Programming Errors

Last year and earlier this year we have seen serious security lapses which are exploited. Hackers were able to hack Twitter and TechCrunch. Over the years, applications are built, rebuilt and retired. Applications are becoming more and more a means of getting and storing data from database. In future, data will become costlier. Any security error means loss of creditability with your customers.

2010 CWE/SANS Top 25 Most Dangerous Programming Errors

A recent study published by Common Weakness Enumeration (CWE) and SANS (SysAdmin, Audit, Network, Security) institute lists a list of 25 most dangerous programming errors. The highest scored error was Cross Site Scripting (XSS, score 346), followed by the famous SQL injection (330) and Buffer overflow (273). It is evident the application developers are still doing the same error again and again.

I am listing a selected list of five most dangerous errors from them.

  1. Use of Hard coded credentials.
  2. Incorrect Permission Assignment / Authentication for Critical Resources.
  3. Missing Encryption of Sensitive Data / Broken or risky cryptographic algorithm.
  4. Un-restricted upload of file with dangerous type.
  5. Use of insufficiently Random values.

I have seen these errors.
Language Impacts and Other Factors

As the study shows, the languages with which the major errors are made are as follows. I counted them using weights High – 3, Mod – 2 and Limited – 1.

Language Severity (Higher the worse)
C / C++ 63
Java 50
PHP 58
Perl 50

The errors are evenly poised with design (12) and implementation (13). The errors can creep in architecture, design or implementation phase.

Effective Mitigation

A list of effective mitigation were also given. The emphasis is given on the following mitigation –

  • Establish and maintain control over all of your inputs / outputs.
  • Lockdown your environment.
  • Assume and be prepared that external applications can be subverted and the code can be read by any.

I would add the following things to it:

  • Secure your database. Use tools or enterprise solutions. This includes auditing and advanced security options.
  • Use, built some sort of analytics. Try to prepare a report to see who is using the system for what.
  • Have a business continuity plan (BCP) and disaster recovery (DR). Be prepared for the worst. (A recent router failure of WordPress.com took 110 mins to recover).

Looks like the future is going to be really interesting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: