RSS Alerts

Share

More services

Related Links

Related Stories

  • SQL injection most dangerous threat, according to CWE/SANS list of top software flaws
    SQL injection flaw is the most dangerous software vulnerability, according to the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
  • Hike in trojan activity in May
    The latest monthly statistics on security threats from Sunbelt Software claim there has been a significant increase in Trojan activity, as well as malware designed to channel fake anti-virus products onto a user's machine.
  • Hike in trojan activity in May
    The latest monthly statistics on security threats from Sunbelt Software claim there has been a significant increase in Trojan activity, as well as malware designed to channel fake anti-virus products onto a user's machine.
  • Batten down the hatches
    Due to the horrifying quantity of vulnerabilities, and often limited time and budget, application and database security can be quite a headache. Limiting privileges and access, however, is a good place to start, finds Danny Bradbury
  • Catch me if you can
    These days, malware writers are in it for the money. In order to maximise profit, discretion is imperative so stealth technology has been adopted as a rule, rather than an exception. Danny Bradbury looks to the cat and mouse game that researchers and attackers are playing to see who’s coming out on top

Top 5 Stories

News

Security groups outline top 25 programming errors for 2010

18 February 2010

The SANS Institute and Mitre have come together to update their annual list of top 25 software programming security bugs. SQL injection is the number one danger to software customers, according to the organizations.

SANS and Mitre have made several improvements over the 2009 programming errors list. Focus profiles have been created to explain how software weaknesses relate to real-world scenarios. The new list also ranks items using a survey of 28 organizations who prioritized bugs based on their prevalence and importance.

After SQL injection, classic buffer overflow was public enemy number two in terms of application security. Cross-site scripting came a close third, followed by operating system command injection. The fifth-ranked programming security error was the unrestricted upload of a file with a dangerous type. Cross-site request forgery, while increasingly common in web application attacks, failed to make the top five, resting instead in sixth place.

The bugs were ranked according to importance and prevalence. Each of these parameters were used to assign a sub-score to a bug. The importance sub-score was squared, and then added to the prevalence sub-score to achieve the final result, thus giving importance much more weight.

The study also produced a separate ranking focusing purely on the technical impact of each weakness. "Note that skilled attackers can combine multiple weaknesses into a single, larger attack that is more severe than any of its parts," the report said.

Several weaknesses that were identified last year, including input validation, have been moved to a separate section called Monster Mitigations. "A number of general purpose CWE entries were removed from the top 25 because they overlap other items," said Mitre. "This also made room for other, more specific weaknesses to be listed."

This article is featured in:
Application Security • Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012