Courtesy of Microsoft

Feb 25, 2010 13:51 GMT  ·  By

Mid-February 2010 brought with the release of the CWE/SANS Top 25 Most Dangerous Programming Errors, a comprehensive list designed to highlight the most severe mistakes made by programmers when writing code for their applications. The programming errors collection has a crucial relevance for developers, bugs in the software generally lead to vulnerabilities which can subsequently be exploited by attackers. Microsoft helped put together the CWE/SANS Top 25 for 2010, and Michael Howard, senior security program manager in the Security Engineering group at Microsoft, revealed that the Redmond company already had the solution to correct the issues outlined in the list: the Security Development Lifecycle.

“The SDL maps very nicely to the 2010 Top 25, just as it did in 2009. Every one of the Top 25 is covered by one or more SDL requirements, and most of them are also covered by an automated SDL verification tool or secure coding library. Even CWE 98, "PHP File Inclusion," is covered by the SDL in our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft,” Howard stated.

On the left, devs will be able to find the list outlining the top 25 most dangerous programming errors in 2010, which can also be accessed via this link. Microsoft has set up a website dedicated to the Security Development Lifecycle, and the hub which simplifies access to all the resources associated with the best security practices. It is important to underline that SDL applies to all software development processes not just to Microsoft technologies, and that the SDL resources are available for free.

“The reason that we address issues like PHP file inclusion in the SDL is that we don't simply wait for new vulnerability taxonomies to be released and then rush to add mitigations to our security processes; rather, we structure the SDL to provide developers with fundamentally sound, secure programming practices. As a result, we cover not just the known vulnerabilities of today (like the Top 25) but also many of the unknown vulnerabilities that will be discovered tomorrow. The fact that all of the Top 25 are addressed by the SDL is a great validation, but it is the result of the content of our process and not the cause,” Howard added.

Photo Gallery (2 Images)

Security Development Lifecycle
Top 25 Most Dangerous Programming Errors
Open gallery