I am elaborating an earlier article on http://decisionstats.com/top-25-most-dangerous-software-errors/ based on my continued research into cyber conflict and strategy. My inputs are in italics – the rest is a condensed article for further thought.
The Department of Homeland Security of the United States of America has just launched a list of top 25 errors in programming or creating software that increase vulnerability to hacking attacks. The list which is available at http://cwe.mitre.org/top25/index.html lists down a methodology fo measuring vulnerability called Common Weakness Scoring System (CWSS) and uses that score to rank the various errors as well as suggestions to eliminate these weaknesses or errors.
The importance of a weakness (that arises due to software bugs) may vary depending on business usage or project implementation, the technologies , operating systems and computing environments in use, and the risk or threat perception.The Common Weakness Scoring System (CWSS) provides a mechanism for scoring weaknesses. and provides a framework for prioritizing security errors (“weaknesses”) that are discovered in software applications.
For example the number 1 weakness is shown with
1CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).
The rest of the weaknesses are
RANK SCORE ID NAME
 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
 79.0 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
 76.9 CWE-306 Missing Authentication for Critical Function
 76.8 CWE-862 Missing Authorization
 75.0 CWE-798 Use of Hard-coded Credentials
 75.0 CWE-311 Missing Encryption of Sensitive Data
 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type
 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision
 73.1 CWE-250 Execution with Unnecessary Privileges
 70.1 CWE-352 Cross-Site Request Forgery (CSRF)
 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
 68.5 CWE-494 Download of Code Without Integrity Check
 67.8 CWE-863 Incorrect Authorization
 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource
 64.6 CWE-676 Use of Potentially Dangerous Function
 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
 62.4 CWE-131 Incorrect Calculation of Buffer Size
 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts
 61.1 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
 61.0 CWE-134 Uncontrolled Format String
 60.3 CWE-190 Integer Overflow or Wraparound
 59.9 CWE-759 Use of a One-Way Hash without a Salt
Details of each weakness is given by http://cwe.mitre.org/top25/index.html#Details
It includes Summary , Weakness Prevalence, Consequences, Remediation Cost, Ease of Detection ,Attacker Awareness and Attack Frequency .In addition the following sections describe each software vulnerability in detail- Technical Details ,Code Examples ,Detection Methods ,References,Prevention and Mitigation, Related CWEs and Related Attack Patterns.
Other important software weaknesses are –
 CWE-770: Allocation of Resources Without Limits or Throttling
 CWE-129: Improper Validation of Array Index
 CWE-754: Improper Check for Unusual or Exceptional Conditions
 CWE-805: Buffer Access with Incorrect Length Value
 CWE-838: Inappropriate Encoding for Output Context
 CWE-330: Use of Insufficiently Random Values
 CWE-822: Untrusted Pointer Dereference
 CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
 CWE-212: Improper Cross-boundary Removal of Sensitive Data
 CWE-681: Incorrect Conversion between Numeric Types
 CWE-476: NULL Pointer Dereference
 CWE-841: Improper Enforcement of Behavioral Workflow
 CWE-772: Missing Release of Resource after Effective Lifetime
 CWE-209: Information Exposure Through an Error Message
 CWE-825: Expired Pointer Dereference
 CWE-456: Missing Initialization
Here is an example of the new matrix for migrations that also list the top 25 errors . This thus shows a way to fix the weaknesses and relative impact on each weakness by the following mitigations.
Effectiveness ratings include:
- High: The mitigation has well-known, well-understood strengths and limitations; there is good coverage with respect to variations of the weakness.
- Moderate: The mitigation will prevent the weakness in multiple forms, but it does not have complete coverage of the weakness.
- Limited: The mitigation may be useful in limited circumstances, only be applicable to a subset of this weakness type, require extensive training/customization, or give limited visibility.
- Defense in Depth (DiD): The mitigation may not necessarily prevent the weakness, but it may help to minimize the potential impact when an attacker exploits the weakness.
Within the matrix, the following mitigations are identified:
- M1: Establish and maintain control over all of your inputs.
- M2: Establish and maintain control over all of your outputs.
- M3: Lock down your environment.
- M4: Assume that external components can be subverted, and your code can be read by anyone.
- M5: Use industry-accepted security features instead of inventing your own.
The following general practices are omitted from the matrix:
- GP1: Use libraries and frameworks that make it easier to avoid introducing weaknesses.
- GP2: Integrate security into the entire software development lifecycle.
- GP3: Use a broad mix of methods to comprehensively find and prevent weaknesses.
- GP4: Allow locked-down clients to interact with your software.
|High||DiD||Mod||CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)|
|Mod||High||DiD||Ltd||CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)|
|Mod||High||Ltd||CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)|
|Mod||High||DiD||Ltd||CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)|
|Mod||DiD||Ltd||CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)|
|Mod||DiD||Ltd||CWE-131: Incorrect Calculation of Buffer Size|
|High||DiD||Mod||CWE-134: Uncontrolled Format String|
|Mod||DiD||Ltd||CWE-190: Integer Overflow or Wraparound|
|High||CWE-250: Execution with Unnecessary Privileges|
|Mod||Mod||CWE-306: Missing Authentication for Critical Function|
|Mod||CWE-307: Improper Restriction of Excessive Authentication Attempts|
|DiD||CWE-311: Missing Encryption of Sensitive Data|
|High||CWE-327: Use of a Broken or Risky Cryptographic Algorithm|
|Ltd||CWE-352: Cross-Site Request Forgery (CSRF)|
|Mod||DiD||Mod||CWE-434: Unrestricted Upload of File with Dangerous Type|
|DiD||CWE-494: Download of Code Without Integrity Check|
|Mod||Mod||Ltd||CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)|
|Mod||High||DiD||CWE-676: Use of Potentially Dangerous Function|
|Ltd||DiD||Mod||CWE-732: Incorrect Permission Assignment for Critical Resource|
|High||CWE-759: Use of a One-Way Hash without a Salt|
|DiD||High||Mod||CWE-798: Use of Hard-coded Credentials|
|Mod||DiD||Mod||Mod||CWE-807: Reliance on Untrusted Inputs in a Security Decision|
|High||High||High||CWE-829: Inclusion of Functionality from Untrusted Control Sphere|
|DiD||Mod||Mod||CWE-862: Missing Authorization|
|DiD||Mod||CWE-863: Incorrect Authorization|