This past Wednesday, SANS and CWE released their 2010 top 25 programming errors list. The list contains many errors that are present in control systems both developed recently or a few years back. For example, Daniel Peck of Digital Bond wrote a paper showing what can happen when error #8 is introduced into a system. This isn’t to say that all the errors on the list will show up in control systems (i.e. #23 – URL Redirection…) but enough do that makes this an interesting read. Now on to some general thoughts regarding the list.
Specifically, 11 out of the 25 errors have a low remediation cost and have been used in 0-day exploits. This means that they are easy to exploit because they are easy to find within systems. Also, We’ve recently been discussing several ways to minimize vulnerabilities on the blog recently (i.e. SDLC, Change Management, etc.) but we have yet to discuss the awareness aspect of the problem. We can scream at the top of our lungs how we need better designed/patched/hardened systems but we also need to ensure that the software engineers and developers get taught about these mistakes and how not to make them.