Customization of CWE/SANS Top 25 Most Dangerous Software Errors list
First, let’s remove all issues that without a doubt related to WEB applications only (and therefore, irrelevant to our Windows Forms application):
[4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[9] Unrestricted Upload of File with Dangerous Type
[12] Cross-Site Request Forgery (CSRF)
[22] URL Redirection to Untrusted Site ('Open Redirect')
Then, let’s remove from the list all the errors that cannot affect the managed framework such as .NET - we have another 4 errors to exclude:
[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[16] Inclusion of Functionality from Untrusted Control Sphere
[18] Use of Potentially Dangerous Function
[20] Incorrect Calculation of Buffer Size
[23] Uncontrolled Format String
Now, let’s review the one more group of errors which theoretically can be applied to our application's technology and functionality, but it would be either impractical to perform such attacks or/and there are no real world examples:
[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection was invented for attacks on websites. Although you can theoretically still inject the SQL statement through Windows Forms GUI, such attacks are rare, and Windows Forms GUI controls are usually more restrictive than WEB controls. Also, the scale of single workstation cannot be compared to the website database which potentially can contain data of millions of users.
[2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
I don’t think this is relevant to the desktop application since normally the desktop application user already has access to the OS functions (can run another process). Therefore, the same OS functionality is available for application and user.
[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
It looks like this error mostly affects web based applications, although the description does not say so.
[15] Incorrect Authorization
Even though this issue theoretically can be applied to any technology and business area, I could not find any description or example which would prove that it is relevant to our case.
So we have only 12 remaining errors that are applicable to our application.
However, before forming the final list, I would change the priorities because different issues have different effect in our specific area (remember - retail store point of sale application), and the order does not necessarily match the original order defined by CWE/SANS. So this new list is sorted according to the prioritization which mainly takes into consideration the security standards affecting this kind of software - PCI DSS, PA-DSS, and PCI P2PE - as well as common security design principles for retail financial software. (The customized list still has the old numbers in [] for reference to the original CWE/SANS Top 25.)
Top 12 Most Dangerous Security Vulnerabilities in Standalone Point of Sale Application
1. [8] Missing Encryption of Sensitive Data
2. [25] Use of a One-Way Hash without a Salt
3. [19] Use of a Broken or Risky Cryptographic Algorithm
4. [7] Use of Hard-coded Credentials
5. [14] Download of Code Without Integrity Check
6. [11] Execution with Unnecessary Privileges
7. [5] Missing Authentication for Critical Function
8. [6] Missing Authorization
9. [10] Reliance on Untrusted Inputs in a Security Decision
10. [17] Incorrect Permission Assignment for Critical Resource
11. [21] Improper Restriction of Excessive Authentication Attempts
12. [24] Integer Overflow or Wraparound
In a similar way, the original CWE/SANS Top 25 list can be customized for other particular business and technology niches, such as, for example, game application for mobile device, but it is out of scope of this post and this blog.