Thursday, January 22, 2009

Top 25 Programming Errors for Software Testing

Recently experts from more than 30 US and international cyber security organizations announced the consensus list of the Top 25 programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Most of these errors are not well understood and accepted by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
The impact of these errors is a tremendous. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches infected the computers of people who visited those web sites, turning their computers into zombies.

Among people and organizations cooperated in the project there are respected security experts who come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division, NSA's Information Assurance Division, the University of California at Davis and Purdue University. The initiative was managed by The MITRE and the SANS Institute, financial support came from the US Department of Homeland Security's National Cyber Security Division.

Despite there were some heated discussions the experts came quickly to agreement. "When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Says Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair, "Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs."

The Office of the Director of National Intelligence expressed its support saying, "We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations. The Top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."

Software testing tools will use the Top 25 in their evaluations and provide scores for the level of secure coding in software being tested. In parallel with this announcement, on January 12, one of the leading software testing vendors is announcing that its software will be able to test for and report on the presence of a large fraction of the Top 25 Errors. Application development teams will use such testing software during the development process.



Prepared by TestLabs of Mirasoft Group

Based on SANS Publications
Posted by Unknown at 2:06 AM
Labels: , ,

5 comments:

  1. UnknownJanuary 30, 2009 at 9:08 AM

    Well done. Good information. Where is the URL to see the actual list?

    ReplyDelete
  2. Fred WilliamsFebruary 3, 2009 at 8:05 AM

    I cannot find any information on the actual testing vendors or details on the offerings. Any insight?

    ReplyDelete
  3. UnknownFebruary 17, 2009 at 12:12 AM

    The URL is: http://www.sans.org/top25errors/

    ReplyDelete
  4. Tee ChessJuly 30, 2010 at 5:31 AM

    Nice post. Thanks for sharing the information and the URL. Software Testing Services

    ReplyDelete
  5. UnknownDecember 15, 2014 at 4:32 AM

    infomative post about the need to use software testing

    ReplyDelete

Subscribe to: Post Comments (Atom)