SANS Institute MITRE release new top 25 dangerous coding errors list

Coding Challenge Coding Live

The SANS Institute released an updated version of its top 25 dangerous programming errors list this week, shedding…

Sign-up now. Start my free, unlimited access.

Please provide a Corporate E-mail Address.

Docker containers can help secure cloud applications, but malicious traffic can still move to and from those containers on a …

A data science development pipeline is critical for digital business. But the sequence of the pipeline must be monitored closely …

IT can get ahead of Windows 10 security problems by understanding its organizational needs and focusing on a few key areas, …

The latest list adds profiles to help organizations tailor the list to their needs and mitigation techniques to help software developers apply better practices to the SDL.

There is much more to building secure software than hunting down 25 bugs, said McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.

The list was first used in the procurement process last year when officials in New York State released a draft version of aprocurement contract using the programming errors list. William Pelgrin, CISO of New York state and principal editor of the consensus procurement standards for secure code, drafted the new language. He said the language could help provide assistance with both in-house software development and hiring an external development team. The SANS Institute posted the draft of theprocurement contract language. Paller said if used properly it could substantially reduce the risk of purchasing shoddy code and eliminate the problem of having to pay a fortune to repair coding errors.

Totally automatic: Improve DevOps and security in three key steps

The2010 CWE/SANS Top 25 Most Dangerous Programming Errorslist includes many of the sameprogramming errors identified in 2009, but the organizers added a new set of profiles to help project managers uniquely tailor the list to their needs and mitigation techniques that could help software developers, designers and project managers adopt better practices and apply them to different parts of the software development lifecycle.

These things we hope will help people really get into the top 25 and apply it quickly and directly to the challenges they have, said software security expert Bob Martin, principal engineer, MITRE Corp.

You have exceeded the maximum character limit.

Static source code analysis turned on its head

Google Project Wycheproof offers testing suite for crypto libraries

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Sima said enterprises could better apply the coding error lists by identifying specific problems that can be reasonably addressed by software developers. Coding practices would be improved if only five reasonable issues were identified that are unique to the organization and can be fed into a code analysis tool, he said.

Software giant Oracle chooses Brussels as the centre of its European financial technology innovation programme

I agree to my information being processed by TechTarget and itsPartnersto contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

How to use Packetbeat to monitor Docker container traffic

The new version introduces focused profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. A set of nine different profiles breaks down the coding errors, listing certain weaknesses typically fixed in design and implementation, errors that can be emphasized when training new programmers and common holes that can be detected using automated versus manual code analysis.

SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.

Innovating IT while reducing legacy complexity, with HPE SimpliVity

In a recent keynote speech, GEs CTO Chris Drumgoole outlines the transformation of a corporate giants network from traditional …

Design Secure Software from the First Line of Code

New York drafts language demanding secure code: State will demand software makers certify their software does not contain the coding errors listed in the CWE/SANS Top 25 Dangerous Programming Errors.

In light of the fact that complex passwords are not as strong as most people think and most password strategies inevitably lead …

Dig Deeper on Secure software development

Please check the box if you want to proceed.

light on the common coding errors attackers use to gain access to sensitive data and wreak havoc on corporate networks.

Secure DevOps brings better, faster, safer software

SANS Institute, MITRE release new top 25 dangerous coding errors list

The new list also provides a set of what researchers have identified as effectiveMonster Mitigations, helping developers reduce or eliminate entire groups of weaknesses by applying the techniques to different areas of the software development lifecycle. The mitigations are organized by target audience — programmers, designers and project managers — providing a blueprint to get started with process improvements.

Alan Paller, director of research at the SANS Institute, said the error list could be used as a standard for contract language between custom software buyers and developers. If businesses use the coding errors when putting together the contract language, it may help ensure buyers are not held liable for software containing faulty code, he said.

Intel, Cisco pushing for enhanced security communication, integration

Runtime application self-protection basics, pros and cons

There is now a way that [enterprises] can begin to make the suppliers of that software accountable for problems, Paller said. We see it as directly addressing the financial problem on fixing the [coding errors] and we see it as partially helping get rid of the errors in the first place.

I agree to my information being processed by TechTarget and itsPartnersto contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Enterprises increasingly use multiple cloud providers to achieve their goals. Learn how you could benefit from this model and get…

Runtime application self-protection from A to Z

Tools for those seeking security for apps in the enterprise

Security for applications: What tools and principles work?

The list includes a variety of errors, from improper input validation to the use of a broken or risky cryptographic algorithm, which could be used by attackers to gain access to sensitive data using various techniques. Cross-site scripting (XSS) topped the list, followed by input validation errors making software vulnerable to SQL injection attacks and programming blunders leading to buffer overflow conditions.

Security professionals need to fight their natural skepticism and embrace cloud services adoption for the good of the enterprise,…

Secure code review tips: How many review rounds are needed?

Please check the box if you want to proceed.

Web application security testing reaches new level

You forgot to provide an Email Address.

Software security training: Perspectives on best practices

Security for applications: What tools and principles work?

I agree to TechTargetsTerms of UsePrivacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Foxit Reader vulnerabilities: What can be done to mitigate them?

Recent additions to Google Compute Engine, particularly around images and templates, streamline how admins can create and manage …

Dynamic application security testing, honeypots hunt malware

Security expert Gary McGraw, an outspoken opponent to vulnerability lists, said that while they help software developers think more about attackers and the vulnerabilities they go after, they do little to help improve software coding.

Please create a username to comment.

Dockers Kubernetes implementation provides enterprises with container orchestration options. Expert Rob Shapland discusses what …

Flaw in ASN.1 compiler potentially critical, hard to find

Tools for those seeking security for apps in the enterprise

Why DevOps security must be on infosecs priority list

The garbage in, gospel out approach to business analytics may be a valid approach for doing big data projects, but CIOs should …

I agree to TechTargetsTerms of UsePrivacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Adobes Flash end of life scheduled, finally, for 2020

Qatar-based logistics firm Gulf Warehousing Company introduced smart appraisals for employees, cut the time it takes to recruit, …

The State of Software Security: Developer Guide

While the list identifies the common errors that are not well understood by programmers, experts say enterprises have a long way to go to improve the internal workings of their software development practices, before any true progress can be made. While error lists help focus awareness on the issue of software coding flaws, better training and a shift to quality software over speed and cost cutting may be the bigger problem to solve.

Experts who helped develop the list say it sheds light on the growing need for better software development practices to address a documented rise in attacks against websites and web-based applications. Attackers are turning to automated tools that make it easier to seek out and exploit vulnerabilities. The list is being jointly managed by the SANS Institute and theMITRECorp., which maintains the Common Weakness Enumeration, a formal list of software weaknesses.

How can DevOps application lifecycle management protect digital keys?

Software security training: Perspectives on best practices

Secure code review tips: How many review rounds are needed?

Please check the box if you want to proceed.

State of Software Security Developer Guide

Secure coding expert Caleb Sima, CEO of Santa Clara, Calif.-based Armorize Technologies Inc., a Web application security vendor, said the lists are a helpful educational tool and help people understand the kind of errors that need to be identified and repaired. Sima, the former co-founder and chief technology officer of SPI Dynamics, which was acquired by HP Software in August 2007, said secure software coding can be tricky when developers are under pressure to complete a project and move on to coding issues in other applications.

Tempered Networks has extended the reach of its network access control technology. The company has introduced NAC software for …

This email address is already registered. Pleaselogin.

Dynamic application security testing, honeypots hunt malware

When you take that list into a real world environment I think you start running into some different issues, Sima said. Applying the full list is overload and it becomes complicated. It isnt a reasonable amount of work for an organization.

Intuits latest AI project — a digital financial assistant — could help its customers save money, while breaking new technology…

Hybrid cloud is complex, and while automation helps, it also presents new risks. This book by Clive Longbottom dives into the …

No problem! Submit your e-mail address below. Well send you an email containing your password.

Stay informed about the latest enterprise technology news and product updates.

SANS Institute, MITRE release new top 25 dangerous …

Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.

Why threat models are crucial for secure software development

Microsoft offers a host of tools IT pros can use to make the move to Windows 10 a little easier. See how well you know your …

Security teams must embrace DevOps practices or get left behind

Juniper has added to the EX series a core aggregation switch for companies that need less scale than the EX9000. The compact …

Why Security in DevOps is Essential to Software Development

Please check the box if you want to proceed.

Why the citizen developer trend is bugging infosec teams

By submitting my Email address I confirm that I have read and accepted the Terms of Use andDeclaration of Consent.

Protecting Windows 10 takes a lot of juggling. IT must be sure to use all the tools at its disposal to create the strongest …

Send me notifications when other members comment.

This email address doesnt appear to be valid.

Leave a Reply