@Serge Wautier: that’s what makes it dangerous.
More cut-n-paste please.
Nice blog engine! Looks like it handles ordered lists like a champ.
I know I am an ass for this, but I found that thera are only 12 not promised 30 items. And even those 12 can be reduced…
1/ Improper Input Validation … path , user input, download without integrity check
2/Untrusted Source … similar data validation, but checks on more human level, untrusted seach path
3/Failure to Fullfil Constrains … buffer overflow
4/Improper Initialization or Relase of Resource … unitialized data,
5/Failure to Preserve Proper Structure … encoding or escaping of textual data, SQL, html, control generation of code
6/Client-Side Enforcement of Server Side Security
7/Revealing Potentially Misused Infromation … os calls in text file, cleartext transmission of sensitive data - hard coded passwords, error message information leak
8/Giving Privilegies to Access Potentially Misused Information ( their executing)… data critical to keep valid state of program, external file names,
11/Insufficent Random Values
12/Use of Weak Cryptographic Algorightms
- No one forces programmers to check security vulnerabilities
- There is no budget for forcing programmers to check security vulnerabilities
- There is no budget for checking security vulnerabilities
- No one checks are security vulnerabilities checked
- There is no budget for checking are security vulnerabilities checked
- And so on
I looked through this initiative a little more, and while the list of errors is good and reflects the opinions of many professionals, I’m a little worried what it can mean.
(1) Customers (governments, users, etc.) will now require that software companies / vendors ‘certify’ their code to be compliant with this list - now if there is a catastrophic mistake, the economic liability falls on the software company, not the customer.
(2) This would be fine and dandy except this list contains extremely common and hard-to-eliminate errors such as buffer overflow / memory leak, resource initialization /shutdown, etc. These are almost impossible to completely eliminate, and I really don’t see how it would work.
I’d disagree with most of the criticism. The point of this shared Internet of ours isn’t to find precise, or even academic, text. Just because it’s redundant in some areas doesn’t mean there is any fault to be found. After all, we rarely measure understanding in terms of simple mathematics, despite the fact that we can boil everything down to it.
Jeff, this post is another great one and another good sign that you’d make a great teacher/lecturer. It’s not whether or not you can boil reality down to numbers and figures; it’s all about sharing that information. If you’ve ever got an inkling to speak, give me a call.
A modest suggestion: How about a ‘reference implementation’ of a non-trivial website that explicitly follows all these rules? It would be important to note that such an implementation would -not- be guaranteed to be secure, and would be subject to regular revision-- But still, without an actual implementation, isn’t this really just all yakety-yak, i.e., the security version of vaporware?
I quite like this one:
Improper Resource Shutdown or Release
When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.
So, how exactly do we do this when .NET, Java or etc… manage our memory for us (presumably to help defeat 10. Failure to Constrain Operations within the Bounds of a Memory Buffer)? The way I understand it, none of these garbage collection system free the resources immediately… does this mean we shouldn’t use them?
Personally I think we should use them… but only because /I/ can’t think of a way to exploit this feature. However the smarter attacker might…
I’m not just making this point because I want something more useful than object.Dispose() in .NET languages. Honest!!
I think we also need a number 16 - Relying on 3rd party libraries, tools and APIs being secure.
Your description of race condition is wrong. There is no need for the attacker to have full control over one process. A race condition is merely a synchronization issue, where properly timed inputs and program execution can lead to an unexpected state of the program.
Re: Drawing a web page isn’t programming. Sheesh.
So you’re totally okay with your bank thinking that their online banking Web site isn’t programming.
Web sites have matured, sheesh. You should follow their lead.
I can think of a few other programming mistakes:
- Programming without coffee
- Flatulence in XP/paired programming practices
Drawing a web page isn’t programming. Sheesh.
Though I suppose even in Word you can let yourself in for some of these troubles.
@Mark: keep thinking that internal software doesn’t have to worry about hostile users or environments. It keeps people like me in business
I’m working on a software package that does all these things. It is a vendor application and we’re not allowed to change it, but I’m really freaked out by it. For a year now, I’ve been saying it’s not secure and buggy, and won’t be reliable… and I’m afraid of what the consequences will be when I’m proven right. And it costs $1.5 million - yeah - one and a half million dollars!
About 18 - Incorrect Calculation…
Isn’t that the same as #1? If you prevent allowing people to enter the price of a car as $1, you would also prevent them from ordering -100 quantity of an item.
Or perhaps that example in #1 should be moved to #18; call #1 validation of type and format and #18 validation of value.
Side note – on the unexpected ways attackers can enter input; I remember a WinForms control that I was testing a few years ago where only 10 digits could be typed, but any length and/or type of characters could be pasted using the context menu. Lesson learned: Don’t put all your validation in KeyDown!
3,4 and 5 are just the consequences of 2.
Great list though.
I was actually going to send you a link to this! What was I thinking lol, of course Jeff would have got this and blogged about it.
I’m still going to write a blog article about it anyway, least I’ll get to do some more research.
What do you think about encryption with Silverlight for AJAX? I found this implementation which looks nice:
#26. Breaking another software developer’s copyright and terms of service, especially for use in your own commercial venture:
This is a major milestone — we’ve essentially de-obfuscated the WMD code, which was my #1 goal! - Jeff Attwood