Software security is a serious issue in this present age, and must be taken seriously by programmers, but the question is now seriously do we take it especially in our part of the world, where we are gradually making a name for ourselves in software design. Google is just getting to recognize and identify with our IT industry which is growing rapidly. If we don’t want to die out before we ever get on our feet, then we must start well and start strong, and software security is one of those issues that must be taken seriously, especially in web-designing and web based programming, where you software can be accessed by anyone from anywhere.
To help in this area, the Common Weaknesses Enumeration (CWE), a programmers community developed collection of software weaknesses is an awesome place to start. Their documentations are open source and prepared by the experts in the industry. CWE is sponsored by the Cyber security division of the U.S. Department of Homeland Security
They cover software weaknesses by category, platform (JAVA, C, WEB) and others, which are updated regularly. The documentation lists errors, how they can be capitalized upon by hackers to jeopardize the integrity of the software, and most importantly steps to take to avoid them.
The latest version of the document released on 1st June 2011 can be found here. Some of the errors listed in the document are highlighted bellow
CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption
Information sent over a network can be compromised while in transit. An attacker may be able to
read/modify the contents if the data are sent in plaintext or are weakly encrypted.
The application configuration should ensure that SSL or an encryption mechanism of equivalent
strength and vetted reputation is used for all access-controlled pages.
CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length:
The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then he/she may be able to take over the user’s
session (called session hijacking). The number of possible session IDs increases with increased
session ID length, making it more difficult to guess or steal a session ID.
Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A
shorter session identifier leaves the application open to brute-force session guessing attacks.
CWE-7: J2EE Misconfiguration: Missing Custom Error Page
The default error page of a web application should not display sensitive information about the
A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors
and catch java.lang.Throwable exceptions to prevent attackers from mining information from the
application container’s built-in error response.
Handle exceptions appropriately in source code.
Always define appropriate error pages.
Do not attempt to process an error or attempt to mask it.
Verify return values are correct and do not supply sensitive information about the system.
Other issues include:
CWE-18: Source Code
CWE-20: Improper Input Validation
CWE-21: Patname Traversal and Equivalence Errors
Total of 863 issues
The document also contains a Dictonary of issues based on platform (CWE-2000)
Another helpful document on the website is a list of the top 25 software errors, which I think is a good place to start.
To all programmers in the house, let’s strive for excellent and secure software design.