Software vulnerability reports and reports of software exploitations continue to grow at an alarming rate, and a significant number of these reports result in technical security alerts. To address this growing threat to the government, corporations, educational institutions, and individuals, systems must be developed that are free of software vulnerabilities.
Coding errors cause the majority of software vulnerabilities. For example, 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors Heffley 2004.
Intro and stuff on SCALe.
...
- Operating system command interpreter (see guideline IDS06-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method)
- A data repository with an SQL-compliant interface (see guideline IDS07-J. Prevent SQL Injection)
- XML parser (see guideline IDS08-J. Prevent XML Injection)
- XPath evaluators (see guideline IDS09-J. Prevent XPath Injection)
- A SAX (Simple API for XML) or a DOM (Document Object Model) parser (see guideline IDS10-J. Prevent XML external entity attacks)
- Lightweight Directory Access Protocol (LDAP) directory service (see guideline IDS11-J. Prevent LDAP injection)
- Script engines (see guideline IDS12-J. Prevent code injection)
Many rules address proper filtering of untrusted input, especially when such input is passed to a component that can interpret commands or instructions. For example, see IDS08-J. Prevent XML Injection.
...
- Requesting a large image size for vector graphics, for instance, SVG and font files.
- "Zip bombs" whereby a short file is very highly compressed, for instance, ZIPs, GIFs and gzip encoded http contentsHTTP content.
- "Billion laughs attack" whereby XML entity expansion causes an XML document to grow dramatically during parsing. Set the XMLConstants.FEATURE_SECURE_PROCESSING feature to enforce reasonable limits.
- Using excessive disc space.
- Inserting many keys with the same hash code into a hash table, consequently triggering worst-case performance (O(n 2)) rather than typical-case performance (O(n)).
- Initiating many connections where the server allocates significant resources for each, for instance, the traditional "SYN flood" attack.
...