Top 25 Software Errors (original) (raw)

Resources to Help Eliminate The Top 25 Software Errors

1. SANS Application Security Courses

The SANS Cloud Security curriculum seeks to ingrain security into the minds of every developer in the world by providing world-class educational resources to design, develop, procure, deploy, and manage secure software. The SANS cloud security and DevSecOps faculty are real-world practitioners with decades of application security experience. The concepts covered in our courses will be applicable to your software security program the day you return to work:

• SEC522: Application Security: Securing Web Apps, APIs, and Microservices
• SEC540: Cloud Security and DevSecOps Automation

SANS maintains an Application Security CyberTalent Assessment that measures secure coding skills and allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations can learn more at https://www.sans.org/cybersecurity-assessments/application-security/

2. Developer Security Awareness Training

The SANS Security Awareness Developer product provides pinpoint software security awareness training on demand, all from the comfort of your desk. Application security awareness training includes over 30+ modules averaging 7-10 minutes in length to maximize learner engagement and retention. The modules cover the full breadth and depth of topics for PCI Section 6.5 compliance and the items that are important for secure software development.

3. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites

CWE Top 25 Software Errors Site

MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

4. SAFECode

The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.

Fundamental Practices for Secure Software Development 3rd Edition

https://safecode.org/publications/#safecodepublications-2362

Overview of Software Integrity Controls

https://safecode.org/publications/#safecodepublications-189

Framework for Software Supply Chain Integrity

https://safecode.org/publications/#safecodepublications-188

Fundamental Practices for Secure Software Development

https://safecode.org/publications/#safecodepublications-186

Software Assurance: An Overview of Current Industry Best Practices

https://safecode.org/publications/#safecodepublications-185

5. Software Assurance Community Resources Site and DHS web sites

As part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.

6. Nearly a dozen software companies offer automated tools that test programs for these errors.