The CWE/SANS Top 25 Most Dangerous Software Errors: What it means for embedded developers
By Bill Graham
The CWE/Sans Top 25 is fairly well known among security experts but might be overlooked by embedded developers since the list covers all types of systems and programming languages. Developers are fully aware of the quality impacts of many of these errors however they may be less knowledgeable of the security implications. The classic example is the buffer overflow error – all programmers know this is a bad thing and can cause a program to crash or become unresponsive. However, many developers fail to realize that an attacker can trigger these errors to execute code, reveal data or cause a denial of service attack.
The Top 25 list is a “who’s who” of dangerous errors that are the most commonly reported security vulnerabilities. This year’s RSA conference theme was ‘Security in Knowledge,’ and Wind River couldn’t agree more — mitigating the risk of these errors is the first step to improving your device’s security. In this post I will point out what the 10 most important errors are from the top 25 list that embedded developers need to be aware of. In a subsequent post I’ll discuss the mitigation strategies and the role of automated tools in detecting and removing these errors.
The Big 10 Coding Errors and Impact for Embedded Developers
Some of the Top 25 are more applicable to embedded developers than others and arguably have a different priority. Also, some of the errors are from coding errors while others are configuration errors (or a combination of both.) In this case we’ve identified Wind River’s choice for the vulnerabilities that are most likely to impact embedded developers from this list. The “Big 10” errors that embedded developers are likely to encounter are as follows.