comp.lang.ada
 help / color / Atom feed
* MITRE's top-25 list of 2020 software-bug categories
@ 2020-08-22 16:31 Andreas ZEURCHER
  2020-08-22 21:30 ` Jeffrey R. Carter
  2020-08-25 19:09 ` Shark8
  0 siblings, 2 replies; 9+ messages in thread
From: Andreas ZEURCHER @ 2020-08-22 16:31 UTC (permalink / raw)



https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs

Proper intended usage of Ada-specific features mitigates 9 of them, including a few that hit interpreted scripting languages hard.  Others of the 25 are design-level almost independent of programming language.  Still others of the 25 are cavalier/insufficient WWW-oriented string-processing or SQL string-processing or director-filename string-processing that could be conceivably done just as badly in Ada.

Conversely, if HOLWG were still pursuing their language-design goals today, certainly this MITRE* report would shape the design of an evolving GreenGreenerGreenest language today, instead of Ada solving primarily yesteryear's programming/software-engineering challenges well.

* defense contractor

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER
@ 2020-08-22 21:30 ` Jeffrey R. Carter
  2020-08-23  1:36   ` Luke A. Guest
                     ` (2 more replies)
  2020-08-25 19:09 ` Shark8
  1 sibling, 3 replies; 9+ messages in thread
From: Jeffrey R. Carter @ 2020-08-22 21:30 UTC (permalink / raw)


On 8/22/20 6:31 PM, Andreas ZEURCHER wrote:
> 
> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs

This gives me a "not found" error.

-- 
Jeff Carter
"I spun around, and there I was, face to face with a
six-year-old kid. Well, I just threw my guns down and
walked away. Little bastard shot me in the ass."
Blazing Saddles
40

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-22 21:30 ` Jeffrey R. Carter
@ 2020-08-23  1:36   ` Luke A. Guest
  2020-08-23  1:38     ` Luke A. Guest
  2020-08-25 19:43     ` Andreas ZEURCHER
  2020-08-23 14:43   ` Florian Weimer
  2020-08-24 16:55   ` nobody in particular
  2 siblings, 2 replies; 9+ messages in thread
From: Luke A. Guest @ 2020-08-23  1:36 UTC (permalink / raw)


On 22/08/2020 22:30, Jeffrey R. Carter wrote:
> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote:
>>
>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs
>>
> 
> This gives me a "not found" error.
> 

Same.

Would 've been nice if you've have also given the examples and how Ada
solved them.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-23  1:36   ` Luke A. Guest
@ 2020-08-23  1:38     ` Luke A. Guest
  2020-08-23  6:25       ` darkestkhan
  2020-08-25 19:43     ` Andreas ZEURCHER
  1 sibling, 1 reply; 9+ messages in thread
From: Luke A. Guest @ 2020-08-23  1:38 UTC (permalink / raw)


On 23/08/2020 02:36, Luke A. Guest wrote:
> On 22/08/2020 22:30, Jeffrey R. Carter wrote:
>> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote:
>>>
>>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs
>>>
>>
>> This gives me a "not found" error.
>>
> 
> Same.
> 
> Would 've been nice if you've have also given the examples and how Ada
> solved them.
> 

I did a search for the last part of the url and got the same url but
working.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-23  1:38     ` Luke A. Guest
@ 2020-08-23  6:25       ` darkestkhan
  0 siblings, 0 replies; 9+ messages in thread
From: darkestkhan @ 2020-08-23  6:25 UTC (permalink / raw)


On Sunday, August 23, 2020 at 1:40:09 AM UTC, Luke A. Guest wrote:
> On 23/08/2020 02:36, Luke A. Guest wrote: 
> > On 22/08/2020 22:30, Jeffrey R. Carter wrote: 
> >> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: 
> >>> 
> >>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs 
> >>> 
> >> 
> >> This gives me a "not found" error. 
> >> 
> > 
> > Same. 
> > 
> > Would 've been nice if you've have also given the examples and how Ada 
> > solved them. 
> >
> I did a search for the last part of the url and got the same url but 
> working.

Not the same...
Correct url is:
https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs/

Notice that trailing slash :D

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-22 21:30 ` Jeffrey R. Carter
  2020-08-23  1:36   ` Luke A. Guest
@ 2020-08-23 14:43   ` Florian Weimer
  2020-08-24 16:55   ` nobody in particular
  2 siblings, 0 replies; 9+ messages in thread
From: Florian Weimer @ 2020-08-23 14:43 UTC (permalink / raw)


* Jeffrey R. Carter:

> This gives me a "not found" error.

I think the original is here:

  <https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-22 21:30 ` Jeffrey R. Carter
  2020-08-23  1:36   ` Luke A. Guest
  2020-08-23 14:43   ` Florian Weimer
@ 2020-08-24 16:55   ` nobody in particular
  2 siblings, 0 replies; 9+ messages in thread
From: nobody in particular @ 2020-08-24 16:55 UTC (permalink / raw)


On 22/08/2020 21:30, Jeffrey R. Carter wrote:
> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote:
>>
>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs 
>>
> 
> This gives me a "not found" error.

That was #26 on the list but they had to cut it off somewhere.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER
  2020-08-22 21:30 ` Jeffrey R. Carter
@ 2020-08-25 19:09 ` Shark8
  1 sibling, 0 replies; 9+ messages in thread
From: Shark8 @ 2020-08-25 19:09 UTC (permalink / raw)


On Saturday, August 22, 2020 at 10:31:16 AM UTC-6, Andreas ZEURCHER wrote:
> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs 
> 
> Proper intended usage of Ada-specific features mitigates 9 of them, including a few that hit interpreted scripting languages hard. Others of the 25 are design-level almost independent of programming language. Still others of the 25 are cavalier/insufficient WWW-oriented string-processing or SQL string-processing or director-filename string-processing that could be conceivably done just as badly in Ada. 
> 
> Conversely, if HOLWG were still pursuing their language-design goals today, certainly this MITRE* report would shape the design of an evolving GreenGreenerGreenest language today, instead of Ada solving primarily yesteryear's programming/software-engineering challenges well. 
> 
> * defense contractor

The interesting portion, in tabular form.
Rank	ID	Name												Score
1	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')		46.82
2	CWE-787	Out-of-bounds Write										46.17
3	CWE-20	Improper Input Validation									33.47
4	CWE-125	Out-of-bounds Read										26.50
5	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer				23.73
6	CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')		20.69
7	CWE-200	Exposure of Sensitive Information to an Unauthorized Actor					19.16
8	CWE-416	Use After Free											18.87
9	CWE-352	Cross-Site Request Forgery (CSRF)								17.29
10	CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	16.44
11	CWE-190	Integer Overflow or Wraparound									15.81
12	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')			13.67
13	CWE-476	NULL Pointer Dereference									 8.35
14	CWE-287	Improper Authentication										 8.17
15	CWE-434	Unrestricted Upload of File with Dangerous Type							 7.38
16	CWE-732	Incorrect Permission Assignment for Critical Resource						 6.95
17	CWE-94	Improper Control of Generation of Code ('Code Injection')					 6.53
18	CWE-522	Insufficiently Protected Credentials								 5.49
19	CWE-611	Improper Restriction of XML External Entity Reference						 5.33
20	CWE-798	Use of Hard-coded Credentials									 5.19
21	CWE-502	Deserialization of Untrusted Data								 4.93
22	CWE-269	Improper Privilege Management									 4.87
23	CWE-400	Uncontrolled Resource Consumption								 4.14
24	CWE-306	Missing Authentication for Critical Function							 3.85
25	CWE-862	Missing Authorization										 3.77

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: MITRE's top-25 list of 2020 software-bug categories
  2020-08-23  1:36   ` Luke A. Guest
  2020-08-23  1:38     ` Luke A. Guest
@ 2020-08-25 19:43     ` Andreas ZEURCHER
  1 sibling, 0 replies; 9+ messages in thread
From: Andreas ZEURCHER @ 2020-08-25 19:43 UTC (permalink / raw)


On Saturday, August 22, 2020 at 8:38:27 PM UTC-5, Luke A. Guest wrote:
> On 22/08/2020 22:30, Jeffrey R. Carter wrote: 
> > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: 

corrected the missing slash on the right end: 
https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs/

> > This gives me a "not found" error. 
> >
> Same. 
> 
> Would 've been nice if you've have also given the examples and how Ada 
> solved them.

I am not going to write an entire textbook here on c.l.a, but here are the nine of the top twenty-five subcategories that I consider Ada diligently trying to mitigate or eliminate when properly utilized:
• 2nd-most frequent: CWE-787  Out-of-bounds Write
• 3rd-most frequent: CWE-20  Improper Input Validation
• 4th-most frequent: CWE-125  Out-of-bounds Read
• 5th-most frequent: CWE-119  Improper Restriction of Operations within the Bounds of a Memory Buffer
• 8th-most frequent: CWE-416  Use After Free
• 11th-most frequent: CWE-190  Integer Overflow or Wraparound
• 13th-most frequent: CWE-476  NULL Pointer Dereference
• 17th-most frequent: CWE-94  Improper Control of Generation of Code ('Code Injection')
• 23rd-most frequent: CWE-400  Uncontrolled Resource Consumption

On Monday, August 24, 2020 at 11:55:46 AM UTC-5, nobody in particular wrote:
> On 22/08/2020 21:30, Jeffrey R. Carter wrote: 
> > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: 
> >> 
> >> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs 
> >> 
> > 
> > This gives me a "not found" error.
> That was #26 on the list but they had to cut it off somewhere.

There are 1,248 Common Weakness Enumerations (CWEs) that MITRE lobs against software development (instead of against hardware development), so you can peruse the 26th through 1,248th if you so desire.  Query 699 is the one for looking at the full inventory of subcategories of software defects.  These 1,248 subcategories (and the aforementioned top-25 subcategories) fall into 40 more-macroscopic broader categories.

https://cwe.mitre.org/data/definitions/699.html

I claim that next-gen Ada (AdaNG, pronounced “a dang” as in do we give a dang or not) would use these 1,248 categories as measuring stick of expressibility of software-engineering correctness, just as HOLWG's Green and Ada used Steelman as measuring stick of the ability to express software-engineering correctness.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER
2020-08-22 21:30 ` Jeffrey R. Carter
2020-08-23  1:36   ` Luke A. Guest
2020-08-23  1:38     ` Luke A. Guest
2020-08-23  6:25       ` darkestkhan
2020-08-25 19:43     ` Andreas ZEURCHER
2020-08-23 14:43   ` Florian Weimer
2020-08-24 16:55   ` nobody in particular
2020-08-25 19:09 ` Shark8

comp.lang.ada

Archives are clonable: git clone --mirror https://archive.legitdata.co/comp.lang.ada

Example config snippet for mirrors


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git