Category Archives: Intelligence

CWE/SANS Top 25 released today

Update: Read about Gary McGraw’s take on Top N lists.
MITRE and SANS released the CWE/SANS Top 25 Most Dangerous Programming Errors list today. This list is an attempt at being more code-centric than other similar lists, such as the OWASP Top 10.
Although these lists cover what is often considered “low-hanging” fruit vulnerabilities or the coding [...]

Consistency is important

With so many APIs and frameworks out there, there are many different ways to accomplish the same task. The problem is that each way (or method) usually exhibits different behavior when given malicious input. The challenge for us is to (1) find bad behavior in the APIs/frameworks we use, (2) apply fixes consistently, and (3) remember all of the ways things can go wrong. (1) is difficult but doable, (2) is more challenging, and (3) is arguably impossible for a person to do alone. The fact that APIs change frequently, even if changed for the better, exacerbates the problem because it’s costly to go back and consistently make changes across existing applications.