[WEB SECURITY] 2009 Top 25 Programming Errors

Steven M. Christey coley at linus.mitre.org
Thu Jan 15 13:21:31 EST 2009

Sorry to step in late, I wasn't subscribed to this list.

Arian, your passionate arguments and concerns are understood and well
appreciated, and (un)fortunately most of them anticipated.  I think we're
all striving toward the same goal of more secure software.

Backdrop: I'm the primary author of the Top 25 document as posted on the
CWE web site.  We worked closely with SANS, but we were the authors of the
document. SANS helped bring in other contributors, and without them, there
would be no USA Today, BBC, etc. attention paid to this.  While MITRE is a
not-for-profit company and SANS is for-profit, we have worked together on
these kinds of efforts for almost 10 years now.

I'm exceedingly pleased with all the attention this has gotten.  It
appears that a lot of consumers don't even know that programmer errors are
the root cause of so many incidents out there.

As Chris Eng pointed out, the descriptions were informal in order to
gather attention of developers, who were a primary target audience (and
based on delicious bookmarks and others, looks like they're hearing it).
This was not a rash decision; I was genuinely concerned whether this was
the right approach and asked the Top 25 group for their feedback on this,
and nearly all of the people who expressed an opinion were in favor.
There's obviously some backlash, but with such a diverse audience, that's
going to happen.

As Chris also pointed out, the CWE web site has more technical content
that may be more appropriate for programmers.  The linkage to "pure" CWE
is not sufficient on the current top 25 page, so we're working on that

I do think of the Top 25 as an awareness tool and as a huge stick for
customers to use to start asking for more secure software.  It looks like
developers are hearing about this.  It is also prompting them to speak out
about how the push to release overrides security - OK so it's only in the
blogosphere but there you go.

Maybe the message is too simplistic, but I don't think it's a coincidence
that Paul Kurtz, an author of the US National Strategy to Secure
Cyberspace, asked "What took you so long [to come up with this list]?"
He, and many others, probably view this kind of concrete effort as long
overdue from the security community.

Gary McGraw has also posted on the dangers of the Top 25.  And I think
that's perfectly fine.  The Top 25 gets our foot in the door for the REAL
change in language for procurement.

If you look at the text of the New York State procurement language at
http://www.sans.org/appseccontract/ you will quickly see that the Top 25
is one bullet.

By the way, the OWASP efforts for contract language are also very strong.
I suggest promoting these efforts *NOW* while people are still paying
attention.  (We should probably link to them from the Top 25 page,

Maybe I'm wrong in taking such a long and optimistic view, but there you

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list