Not one of our Top X lists, this time, but one featured in an article on the SANS site. SANS have been banging the drum for safer coding for quite a while - in fact, they do quite a few courses on safe coding in various development contexts. Admittedly, that gives them a financial incentive to fly this flag, but it's still a good banner to raise: more secure coding across the board does make life harder for the bad guys, which has to be good. SANS and MITRE, to whose "Common Weakness Enumeration" (CWE) initiative there are many references in the article, are correct to point out that coders who are unaware of the basics of secure programming pose a security problem.
What I find interesting about this item is that it doesn't just talk about the relatively well-known vulnerabilities and system weaknesses (stack errors, overflows, underflows and all those other esoterica that sound like a BBC traffic report), but some of the specific errors that are most commonly made.
These are listed in three categories:
- Insecure Interaction Between Components (9 errors)
- Risky Resource Management (9 errors)
- Porous Defenses (7 errors)
The document also goes on to list resources for remediation. All-in-all, well worth a look.
David Harley
Director of Malware Intelligence