[WEB SECURITY] 2009 Top 25 Programming Errors

Arian J. Evans arian.evans at anachronic.com
Wed Jan 14 15:35:33 EST 2009


I am not in any way attacking or denigrating CWE
or Mitre. CWE is a fine effort by the first rate minds
over at Mitre.

My comments are about this "Top 25" list.

These are "standards" because they are being used as
a "standards" banner for products, contracts, RFPs, etc.
already and will continue to be like other Top SANS lists.

As I've said to several folks: It is an amateur piece of
work that will simply reinforce the amateur nature of most
security professionals to business owners and seasoned
software developers. Apology to anyone whose kid I'm
calling ugly here, but your kid is ugly.

The WASC TC is a better guideline of issues with web
software and in most ares more effective for communication.

I know there are those that dislike these "Top N" lists
but the spirit of this Top 25 is fine in my book.

I would like to see a more professional list published and
maintained by OWASP or WASC.

My main criticism of this Top 25 list is with the content
and the descriptions. Fixable? Sure.

The fact that this was released is such an unprofessional
state solidifies in my mind that Mitre and SANS are not
the folks to be maintaining this list.

I do not want to deal with this document and the inevitable
reality that will stem from it. I do not want to respond to
RFPs that ask if you test for "Failure to Protect Web Pages"
and I do not want to have to build reports that report on
this list with this garbage content and I do not want to
have to explain why the remediation language, costs, and
confusing suggestions are inaccurate or misguided.

Take the "Remediation Cost:" bucket. I used to use these
in my reports all the time, and agree with the spirit of intent
on including this in a "Top 25".

However -- the implementation in the Top 25 is misguided
and useless as a result and should be removed.

Half of the list is marked "Low" and there are even items
marked "Low to High". (? why bother)

There is no explanation or justification for any of it other than
letting people know "this stuff is easy to fix".

The reality of the cost of remediation is contextual to software
and a business capacity and situation. Any effort to communicate
cost should clearly communicate these realities and give the
reader some notion of context, what they need to consider
when evaluating cost, or simply be removed. Statistically
speaking, the more likely you are to have massive XSS issues
the more likely you are to have a hard time fixing it (because
you've got a mess of ASP classic spaghetti code that got
you where you are today). But I digress.

I could go on criticizing but I won't. I will recommend that
WASC or OWASP make a new Top 10 or Top 25 list and
that we tackle the same spirit of intent, understanding that
it will instantly become a "standard".

Barring that we are going to live with this document for
a while, and I am voicing my discontent.

Steven @ Mitre is a smart guy and I bet this will improve
over time if he starts filtering whom he listens too and
who is allowed to contribute content. Or provides a guideline
for content copy. Given who will use this and how it will
be used this should be a very professional business document,
not security-nerd speak with Star Treck naming conventions.

Folks who name their variables or servers R2D2 and C3PO
are probably not gonna agree with me here.

If I had seen this mess up for review before it was
published I would have commented or contributed
much earlier.


Feel free to note that I am too unmotivated to start my
own project to make a new Top N list.

Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi

On Wed, Jan 14, 2009 at 11:17 AM, Andy Steingruebl <steingra at gmail.com> wrote:
> On Wed, Jan 14, 2009 at 10:20 AM, Arian J. Evans
> <arian.evans at anachronic.com> wrote:
>> For all of you ignoring this -- this is going to replace the OWASP Top
>> 10 and WASC TC 1.0 or 2.0 etc. That is the goal/agenda of SANS & CWE.
>> Begin press releases, beat the marketing campaign drums.
> How are any of these "Standards" anyway?  I'm not sure I understand
> what you're getting at here.  Are you saying there ought to be some
> standard that tells people what they have to check for and that ought
> to be the TC2.0?  If so, I think that is misguided as well.
> In either case though people are looking for requirements to stick
> into software purchase contracts to describe minimum security levels
> for something.  None of these lists is particularly well suited to
> that task, but at the same time the CC (Common Criteria) wasn't
> exactly fitting that need either.  Maybe you'd like to write a
> protection profile that your COTS software must meet?  Not me.
> So, while the language of the list of items might not be perfect, I do
> have a lot of respect for the CWE itself, as it does a pretty good job
> as a taxonomy.
> What are you looking to have produced to counter this?  How does the
> TC fit into that at all?
> --
> Andy Steingruebl
> steingra at gmail.com

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list