I’ve been telling customers for years that most security exploits are caused by a small number of software defects (you can download my white paper on Software Security and see how to mitigate enterprise software vulnerabilities systematically using Business threat modeling
Still it’s amazing how the trade press are gushing on this – must have been a slow news day – or maybe the SANS/MITRE folks paid a bit extra to their PR people. The SANS Institute have been publishing a SANS Top 10 for years but this work is much more comprehensive and detailed.
Even if there is not cosmic news involved (“validate input”, “don’t give too much authorization” etc…) perhaps the tail wind from DHS will help more software vendors get with the agenda of writing more secure code. Schneier may have his wish come true – if the Top 25 gets written into purchasing contracts.
Cynicism aside this is a GOOD thing – click here for the CWE Top 25 software bugs
I’m looking at a PHP application right now (doing an initial software security assessment and I’m seeing stuff like URL hacking, and non-validated input – stuff like:
SQL Error: ERROR: invalid input syntax for integer: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"