* MITRE's top-25 list of 2020 software-bug categories @ 2020-08-22 16:31 Andreas ZEURCHER 2020-08-22 21:30 ` Jeffrey R. Carter 2020-08-25 19:09 ` Shark8 0 siblings, 2 replies; 9+ messages in thread From: Andreas ZEURCHER @ 2020-08-22 16:31 UTC (permalink / raw) https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs Proper intended usage of Ada-specific features mitigates 9 of them, including a few that hit interpreted scripting languages hard. Others of the 25 are design-level almost independent of programming language. Still others of the 25 are cavalier/insufficient WWW-oriented string-processing or SQL string-processing or director-filename string-processing that could be conceivably done just as badly in Ada. Conversely, if HOLWG were still pursuing their language-design goals today, certainly this MITRE* report would shape the design of an evolving GreenGreenerGreenest language today, instead of Ada solving primarily yesteryear's programming/software-engineering challenges well. * defense contractor ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER @ 2020-08-22 21:30 ` Jeffrey R. Carter 2020-08-23 1:36 ` Luke A. Guest ` (2 more replies) 2020-08-25 19:09 ` Shark8 1 sibling, 3 replies; 9+ messages in thread From: Jeffrey R. Carter @ 2020-08-22 21:30 UTC (permalink / raw) On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: > > https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs This gives me a "not found" error. -- Jeff Carter "I spun around, and there I was, face to face with a six-year-old kid. Well, I just threw my guns down and walked away. Little bastard shot me in the ass." Blazing Saddles 40 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-22 21:30 ` Jeffrey R. Carter @ 2020-08-23 1:36 ` Luke A. Guest 2020-08-23 1:38 ` Luke A. Guest 2020-08-25 19:43 ` Andreas ZEURCHER 2020-08-23 14:43 ` Florian Weimer 2020-08-24 16:55 ` nobody in particular 2 siblings, 2 replies; 9+ messages in thread From: Luke A. Guest @ 2020-08-23 1:36 UTC (permalink / raw) On 22/08/2020 22:30, Jeffrey R. Carter wrote: > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: >> >> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs >> > > This gives me a "not found" error. > Same. Would 've been nice if you've have also given the examples and how Ada solved them. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-23 1:36 ` Luke A. Guest @ 2020-08-23 1:38 ` Luke A. Guest 2020-08-23 6:25 ` darkestkhan 2020-08-25 19:43 ` Andreas ZEURCHER 1 sibling, 1 reply; 9+ messages in thread From: Luke A. Guest @ 2020-08-23 1:38 UTC (permalink / raw) On 23/08/2020 02:36, Luke A. Guest wrote: > On 22/08/2020 22:30, Jeffrey R. Carter wrote: >> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: >>> >>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs >>> >> >> This gives me a "not found" error. >> > > Same. > > Would 've been nice if you've have also given the examples and how Ada > solved them. > I did a search for the last part of the url and got the same url but working. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-23 1:38 ` Luke A. Guest @ 2020-08-23 6:25 ` darkestkhan 0 siblings, 0 replies; 9+ messages in thread From: darkestkhan @ 2020-08-23 6:25 UTC (permalink / raw) On Sunday, August 23, 2020 at 1:40:09 AM UTC, Luke A. Guest wrote: > On 23/08/2020 02:36, Luke A. Guest wrote: > > On 22/08/2020 22:30, Jeffrey R. Carter wrote: > >> On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: > >>> > >>> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs > >>> > >> > >> This gives me a "not found" error. > >> > > > > Same. > > > > Would 've been nice if you've have also given the examples and how Ada > > solved them. > > > I did a search for the last part of the url and got the same url but > working. Not the same... Correct url is: https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs/ Notice that trailing slash :D ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-23 1:36 ` Luke A. Guest 2020-08-23 1:38 ` Luke A. Guest @ 2020-08-25 19:43 ` Andreas ZEURCHER 1 sibling, 0 replies; 9+ messages in thread From: Andreas ZEURCHER @ 2020-08-25 19:43 UTC (permalink / raw) On Saturday, August 22, 2020 at 8:38:27 PM UTC-5, Luke A. Guest wrote: > On 22/08/2020 22:30, Jeffrey R. Carter wrote: > > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: corrected the missing slash on the right end: https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs/ > > This gives me a "not found" error. > > > Same. > > Would 've been nice if you've have also given the examples and how Ada > solved them. I am not going to write an entire textbook here on c.l.a, but here are the nine of the top twenty-five subcategories that I consider Ada diligently trying to mitigate or eliminate when properly utilized: • 2nd-most frequent: CWE-787 Out-of-bounds Write • 3rd-most frequent: CWE-20 Improper Input Validation • 4th-most frequent: CWE-125 Out-of-bounds Read • 5th-most frequent: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer • 8th-most frequent: CWE-416 Use After Free • 11th-most frequent: CWE-190 Integer Overflow or Wraparound • 13th-most frequent: CWE-476 NULL Pointer Dereference • 17th-most frequent: CWE-94 Improper Control of Generation of Code ('Code Injection') • 23rd-most frequent: CWE-400 Uncontrolled Resource Consumption On Monday, August 24, 2020 at 11:55:46 AM UTC-5, nobody in particular wrote: > On 22/08/2020 21:30, Jeffrey R. Carter wrote: > > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: > >> > >> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs > >> > > > > This gives me a "not found" error. > That was #26 on the list but they had to cut it off somewhere. There are 1,248 Common Weakness Enumerations (CWEs) that MITRE lobs against software development (instead of against hardware development), so you can peruse the 26th through 1,248th if you so desire. Query 699 is the one for looking at the full inventory of subcategories of software defects. These 1,248 subcategories (and the aforementioned top-25 subcategories) fall into 40 more-macroscopic broader categories. https://cwe.mitre.org/data/definitions/699.html I claim that next-gen Ada (AdaNG, pronounced “a dang” as in do we give a dang or not) would use these 1,248 categories as measuring stick of expressibility of software-engineering correctness, just as HOLWG's Green and Ada used Steelman as measuring stick of the ability to express software-engineering correctness. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-22 21:30 ` Jeffrey R. Carter 2020-08-23 1:36 ` Luke A. Guest @ 2020-08-23 14:43 ` Florian Weimer 2020-08-24 16:55 ` nobody in particular 2 siblings, 0 replies; 9+ messages in thread From: Florian Weimer @ 2020-08-23 14:43 UTC (permalink / raw) * Jeffrey R. Carter: > This gives me a "not found" error. I think the original is here: <https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html> ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-22 21:30 ` Jeffrey R. Carter 2020-08-23 1:36 ` Luke A. Guest 2020-08-23 14:43 ` Florian Weimer @ 2020-08-24 16:55 ` nobody in particular 2 siblings, 0 replies; 9+ messages in thread From: nobody in particular @ 2020-08-24 16:55 UTC (permalink / raw) On 22/08/2020 21:30, Jeffrey R. Carter wrote: > On 8/22/20 6:31 PM, Andreas ZEURCHER wrote: >> >> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs >> > > This gives me a "not found" error. That was #26 on the list but they had to cut it off somewhere. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: MITRE's top-25 list of 2020 software-bug categories 2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER 2020-08-22 21:30 ` Jeffrey R. Carter @ 2020-08-25 19:09 ` Shark8 1 sibling, 0 replies; 9+ messages in thread From: Shark8 @ 2020-08-25 19:09 UTC (permalink / raw) On Saturday, August 22, 2020 at 10:31:16 AM UTC-6, Andreas ZEURCHER wrote: > https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs > > Proper intended usage of Ada-specific features mitigates 9 of them, including a few that hit interpreted scripting languages hard. Others of the 25 are design-level almost independent of programming language. Still others of the 25 are cavalier/insufficient WWW-oriented string-processing or SQL string-processing or director-filename string-processing that could be conceivably done just as badly in Ada. > > Conversely, if HOLWG were still pursuing their language-design goals today, certainly this MITRE* report would shape the design of an evolving GreenGreenerGreenest language today, instead of Ada solving primarily yesteryear's programming/software-engineering challenges well. > > * defense contractor The interesting portion, in tabular form. Rank ID Name Score 1 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.82 2 CWE-787 Out-of-bounds Write 46.17 3 CWE-20 Improper Input Validation 33.47 4 CWE-125 Out-of-bounds Read 26.50 5 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 23.73 6 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 20.69 7 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 19.16 8 CWE-416 Use After Free 18.87 9 CWE-352 Cross-Site Request Forgery (CSRF) 17.29 10 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 16.44 11 CWE-190 Integer Overflow or Wraparound 15.81 12 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 13.67 13 CWE-476 NULL Pointer Dereference 8.35 14 CWE-287 Improper Authentication 8.17 15 CWE-434 Unrestricted Upload of File with Dangerous Type 7.38 16 CWE-732 Incorrect Permission Assignment for Critical Resource 6.95 17 CWE-94 Improper Control of Generation of Code ('Code Injection') 6.53 18 CWE-522 Insufficiently Protected Credentials 5.49 19 CWE-611 Improper Restriction of XML External Entity Reference 5.33 20 CWE-798 Use of Hard-coded Credentials 5.19 21 CWE-502 Deserialization of Untrusted Data 4.93 22 CWE-269 Improper Privilege Management 4.87 23 CWE-400 Uncontrolled Resource Consumption 4.14 24 CWE-306 Missing Authentication for Critical Function 3.85 25 CWE-862 Missing Authorization 3.77 ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-08-25 19:43 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER 2020-08-22 21:30 ` Jeffrey R. Carter 2020-08-23 1:36 ` Luke A. Guest 2020-08-23 1:38 ` Luke A. Guest 2020-08-23 6:25 ` darkestkhan 2020-08-25 19:43 ` Andreas ZEURCHER 2020-08-23 14:43 ` Florian Weimer 2020-08-24 16:55 ` nobody in particular 2020-08-25 19:09 ` Shark8
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox