2009 CWE/SANS Top 25 Supporting QuotesThe 2009 CWE/SANS Top 25 Programming Errors project is a great resource to help software developers identify which security vulnerabilities are the most important to understand, prevent and fix. — Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corp. When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs. — Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively. — Tony Sager, National Security Agency's Information Assurance Directorate The 2009 CWE/SANS Top 25 Programming Errors reflects the kinds of issues we've seen in application software and helps provide us with actionable direction to continuously improve the security of our software. — Wesley H. Higaki, Director, Software Assurance, Office of the CTO, Symantec Corporation A prioritized list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers. — Chris Wysopal, Co-Founder and CTO of Veracode, Inc. Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens. — Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode) The Top 25 List puts a powerful tool into the hands of the programmers along with every person involved in designing and developing software. The simple fact that such a list now exists will allow software assurance to be practiced more effectively. — Dan Reddy, Consulting Product Manager, EMC Product Security Office As an advocate for the consumer this is viewed as a giant step forward in providing security for all users. It increases awareness of the various levels of secure software by highlighting its effects on our daily use of all software products. The CWE/SANS Top 25 effort adds the capability to our tool box which in turn aids the SwAC in our mission to bring together Industry and Government to transform the security and dependability of all software products. — Dan Wolf, Director, Software Assurance Consortium The CWE top 25 should be watched because targeting the most troublesome programming mistakes can potentially reduce the occurrence of vulnerabilities and our exposure at a national level, while diminishing our undesirable dependence on patches. — Pascal Meunier, CERIAS, Purdue University The CWE/SANS Top 25 effort is extremely valuable and will provide many organizations with a tangible way to begin addressing software security problems. — Michael Klosterman, SCADA Operations, Western Area Power Association, US Department of Energy Highlighting the critical types of programming failures is a valuable introduction to the complete taxonomy that must be referenced in order to reduce vulnerabilities during software construction. This is a big step in the right direction and should be adopted by organizations to incorporate as security rules in their programming standards documentation." — Bill Vass, President & COO, Sun Microsystems Federal, Inc. Let's use this list as a way to jump start the solutions - make 2009 a year to make things happen and solve these problems that have been around way too long. Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late. — Ryan Berg, Co-Founder and Chief Scientist, Ounce Labs This Top 25 is without a doubt one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The list, which has been created based on feedback from many experts in the security industry, focuses on selection criteria like severity and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in an easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2009 as they've made previously. — Carsten Eiram, Chief Security Specialist, Secunia This list of programming errors should be enormously useful to the community. It serves to help us all get our collective "arms around" understanding the most common security defects in our code, just as the OWASP Top 10 helps us understand the attacks against those defects. — Kenneth R. van Wyk, KRvW Associates, LLC The publication of a list of programming errors that enable cyber espionage and cyber crime represents an important turn in software security awareness from a system administrator-centered view [ detect, respond, patch] to a software engineering-centered view [design, implement, verify]. — Konrad Vesey, Information Assurance Directorate, National Security Agency This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities in need of a more rational way to address what are currently the most urgent and relevant software security problems. — Ivan Arce, CTO of Core Security Technologies Inc. The 2009 CWE/SANS Top 25 Programming Errors effort is right on target. By educating software developers on the most important issues and showing them how to avoid writing security bugs, this effort will help programmers correct code issues before they become security problems. — Kent Landfield, Director, Risk and Compliance Security Research, McAfee, Inc. Bugs in software are a plague on our profession and bad for business. They are inevitable, yet understanding of which bugs are most important is often gained the hard and expensive way when they show up in the field. The CWE/SANS Top 25 effort will raise awareness of the huge variety of different kinds of defects that can occur, and will help programmers focus on those that matter most to application quality and security. — Paul Anderson, Vice President of Engineering, Grammatech Inc. CWE is, without a doubt, the most promising taxonomy for computer security issues. The Top 25 CWE list is another well-done brick in the road to improve cataloging, detection, and teaching of application security related issues. — Joshua J. Drake, iDefense Labs at VeriSign, Inc. The CWE/SANS Top 25 List is an excellent tactical resource for organizations to prioritize and remediate the root causes of today's successful attacks. This should be required reading for all developers as it is a "Cliff Notes" version of essential secure coding principles. — Ryan C. Barnett, Director of Application Security Research, Breach Security |