Re: [WEB SECURITY] 2009 Top 25 Programming Errors

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

For those that aren't paying attention -- you understand that this is
going to become your new "standard" for appsec, correct?

For all of you ignoring this -- this is going to replace the OWASP Top
10 and WASC TC 1.0 or 2.0 etc. That is the goal/agenda of SANS & CWE.
Begin press releases, beat the marketing campaign drums.

The language in this "Top 25" is quite poor. Friends & I were laughing
out loud at how unprofessional and childish the writing is in this
document is in many places.

If you don't get involved in steering this -- this "Top 25" is the
most likely new "standard" you'll be living with.

Take a gander at the completely subjective and often inaccurate
"remediation costs". These kind of parts should be removed, or
strongly clarified and justified.

Anyway -- I think OWASP and WASC people need to get involved or you
are going to find that your RFPs for tools, training, and testing are
comprised of this SANS/MITRE Top 25. People (Software Security
Consumers) are already starting to use the "Top 25" this way, and
desperate vendors & solutions are actively steering this to try and
give them some legitimacy. SANS has no clue in this problem domain and
will take this banner and charge forward with it.

I could be wrong and this is ignored, but it doesn't look that way.
State governments are already pushing this as a "standard" and I think
it will wind up, like the OWASP Top 10, being preempted and used by
various parties as a standard and guideline regardless of the intent.


--> So we either need to improve this thing, or offer up a better list
really quickly to be used (and have voices actively championing it).

As an aside -- I thought we had matured more as an "industry". I was a
bit surprised that in 2009 the best we can do is offer up a list of
negative "Failures" described with amateur security-nerd language of
DEFCON caliber. Who was this document written for anyway? This
language is not how I communicate to business owners and IT
professionals.

Not only do I love negative language and mindless hyperbole; I have
found it very useful to actually point your finger at developers while
shouting "You FAILED to code securely" to get the point across. I also
like to point my finger at business owners, while letting them know
that "You Failed to specific and require security software" and your
software shouldn't even be allowed on the Internet. They really like
that.


Here we go with our new Top 25 list:

I'll quote the XSS section. This description is .... ridiculous and
inaccurate hyperbole. Seriously:

CWE-79: Failure to Prevent Web 2.0 (aka 'Cross-site Scripting')

http://cwe.mitre.org/top25/#CWE-79

<quote>
"Cross-site scripting (XSS) is one of the most prevalent, obstinate,
and dangerous vulnerabilities in web applications. It's pretty much
inevitable when you combine the stateless nature of HTTP, the mixture
of data and script in HTML, lots of data passing between web sites,
diverse encoding schemes, and feature-rich web browsers. If you're not
careful, attackers can inject Javascript or other browser-executable
content into a web page that your application generates. Your web page
is then accessed by other users, whose browsers execute that malicious
script as if it came from you (because, after all, it *did* come from
you). Suddenly, your web site is serving code that you didn't write.
The attacker can use a variety of techniques to get the input directly
into your server, or use an unwitting victim as the middle man in a
technical version of the "why do you keep hitting yourself?" game."
</quote>


If I had not found this on SANS's website I would have thought this was a joke.

So now we know that XSS "comes from me" and is "input directly into
your server".


I really like and have tremendous respect for the minds at Mitre,
particularly Steven ... so I am truly baffled by the low quality of
this list.


That said -- I do not want this list driving any form of a standard a
customer will be using, so someone get on the ball and finish TC 2.0
and start promoting it aggressively. Like...now.


-- 
-- 
Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi






On Mon, Jan 12, 2009 at 10:44 AM, Mangiarelli, Jerry
<jerry.mangiarelli@xxxxxx> wrote:
> For those interested, here's a listing that details 25 most dangerous
> programming errors that lead to security bugs.
>
>
>
> http://cwe.mitre.org/top25/pdf/2009_cwe_sans_top_25.pdf
>
>
>
> Best regards,
> j.
>
> ---------------------------------------------------------------------------
> Jerry Mangiarelli, CISSP, CEH
> Technology Risk Management and Information Security
> TD Bank Financial Group
> Bus: 519-663-1577, Mobile: 519-670-6090
> jerry.mangiarelli@xxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA