The first step in solving a problem is to recognize that it does exist. Zig Ziglar
It is important for us to know what the weaknesses in computer systems in order to know how to secure them. To that end MITRE maintains lists of computer vulnerabilities and weaknesses in software systems. They recently updated the list of weaknesses the Common Weakness Enumeration. It is a community-developed list that helps cybersecurity professionals identify weaknesses so they can be addressed. From the site:
“CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.”
One major benefit of the list is the “common language” allowing practitioners to discuss the issues in a standard way.
The list of top 25 lists was recently updated. Updates to the list may reflect new weaknesses, new mitigations, or more information about weaknesses. Sadly, there has been little change in the top of the top 25 list. Improper Input Validation, SQL Injection, and Information Exposure are still on the list. These and many others from the top of the list are discussed in Learning Tree’s Introduction to Cybersecurity and Introduction to Cybersecurity – a Starter Guide.
The list not only describes the issues in detail but often includes programming examples illustrating the weaknesses as well as instructions on how to avoid those weaknesses in software design and coding.
Let’s look at three weaknesses:
Many of these weaknesses are simple oversight: a programmer checks a number against a maximum, but not a minimum, for instance. The biggest problem is that programmers are taught – not explicitly, of course – that a program is good if it “works” for specified input. Few are taught to program defensively: for example, to check every input, array reference, and system call to ensure that the result is within the bounds of expectations.
The CWE list should help programmers and developers identify potential weakness in their code, and importantly it should help educators make students aware of how to program defensively.
To your safe computing,