From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.5-pre1 (2020-06-20) on ip-172-31-74-118.ec2.internal X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.5-pre1 X-Received: by 2002:aed:27de:: with SMTP id m30mr10555806qtg.98.1598382587590; Tue, 25 Aug 2020 12:09:47 -0700 (PDT) X-Received: by 2002:a37:e315:: with SMTP id y21mr10809593qki.129.1598382587383; Tue, 25 Aug 2020 12:09:47 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Tue, 25 Aug 2020 12:09:47 -0700 (PDT) In-Reply-To: <268eed24-fa23-4cf0-82f1-6f344885858dn@googlegroups.com> Complaints-To: groups-abuse@google.com Injection-Info: google-groups.googlegroups.com; posting-host=146.5.2.231; posting-account=lJ3JNwoAAAAQfH3VV9vttJLkThaxtTfC NNTP-Posting-Host: 146.5.2.231 References: <268eed24-fa23-4cf0-82f1-6f344885858dn@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: Subject: Re: MITRE's top-25 list of 2020 software-bug categories From: Shark8 Injection-Date: Tue, 25 Aug 2020 19:09:47 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xref: reader01.eternal-september.org comp.lang.ada:59798 List-Id: On Saturday, August 22, 2020 at 10:31:16 AM UTC-6, Andreas ZEURCHER wrote: > https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-to= p-25-most-dangerous-software-bugs=20 >=20 > Proper intended usage of Ada-specific features mitigates 9 of them, inclu= ding a few that hit interpreted scripting languages hard. Others of the 25 = are design-level almost independent of programming language. Still others o= f the 25 are cavalier/insufficient WWW-oriented string-processing or SQL st= ring-processing or director-filename string-processing that could be concei= vably done just as badly in Ada.=20 >=20 > Conversely, if HOLWG were still pursuing their language-design goals toda= y, certainly this MITRE* report would shape the design of an evolving Green= GreenerGreenest language today, instead of Ada solving primarily yesteryear= 's programming/software-engineering challenges well.=20 >=20 > * defense contractor The interesting portion, in tabular form. Rank ID Name Score 1 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cros= s-site Scripting') 46.82 2 CWE-787 Out-of-bounds Write 46.17 3 CWE-20 Improper Input Validation 33.47 4 CWE-125 Out-of-bounds Read 26.50 5 CWE-119 Improper Restriction of Operations within the Bounds of a Memory = Buffer 23.73 6 CWE-89 Improper Neutralization of Special Elements used in an SQL Command= ('SQL Injection') 20.69 7 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 19= .16 8 CWE-416 Use After Free 18.87 9 CWE-352 Cross-Site Request Forgery (CSRF) 17.29 10 CWE-78 Improper Neutralization of Special Elements used in an OS Command= ('OS Command Injection') 16.44 11 CWE-190 Integer Overflow or Wraparound 15.81 12 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Pat= h Traversal') 13.67 13 CWE-476 NULL Pointer Dereference 8.35 14 CWE-287 Improper Authentication 8.17 15 CWE-434 Unrestricted Upload of File with Dangerous Type 7.38 16 CWE-732 Incorrect Permission Assignment for Critical Resource 6.95 17 CWE-94 Improper Control of Generation of Code ('Code Injection') 6.= 53 18 CWE-522 Insufficiently Protected Credentials 5.49 19 CWE-611 Improper Restriction of XML External Entity Reference 5.33 20 CWE-798 Use of Hard-coded Credentials 5.19 21 CWE-502 Deserialization of Untrusted Data 4.93 22 CWE-269 Improper Privilege Management 4.87 23 CWE-400 Uncontrolled Resource Consumption 4.14 24 CWE-306 Missing Authentication for Critical Function 3.85 25 CWE-862 Missing Authorization 3.77