image
Mitre Corp. recently updated its list of the top 25 most dangerous software bugs, and it’s little surprise that a number of them have been on that list for years. The Common Weakness Enumeration (CWE) list represents vulnerabilities that have been widely known for years, yet are still being coded into software and being bypassed by testing. Both developers and testers presumably know better by now, but still keep making the same mistakes in building applications. We’ll review the vulnerabilities that seem to consistently make the top 25 list over the years. But first, how do these mistakes come about? There are a variety of reasons. In many cases, developers simply don’t have security at the tops of their minds as they are coding the application. Their primary goal is to get the business logic right. In cases where a particular algorithm doesn’t seem to be working right, developers have been known to turn off security restrictions until it behaved as expected. Developers lose face when their application has a logic bug, but not when there is a potential security vulnerability, because these are largely hidden until they are exploited. Testers have a more direct responsibility for ensuring applications are secure, but usually have limited tools and expertise for doing so. They are almost always testing code in isolation, often with no database, APIs or network. Without a way to look into memory, or create illegal commands, and interpret the results in terms of an attack,…

Source