Top 25 Most Dangerous Software Errors and Documentum

I recently wrote a post on Armedia’s blog about the publication of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors report.  The report was compiled and published by the SANS Institute and MITRE in June (cwe.mitre.org/top25).  The report leveraged the SANS Institute’s tops 20 attack vectors (www.sans.org/top20) and MITRE’s Common Weakness Enumeration (CWE) to develop a list of the most frequent and sever programming errors this year.  This report got me thinking about Documentum and all of the custom code that I (and likely thousands of others) write to integrate with Documentum.  How many of these notoriously simple programming errors exist in the Documentum suite of products?  Have they ever been exploited?  Is Documentum vulnerable due to some of these programming errors? How many of these errors am I guilty of (unintentionally) coding into customizations?  How many are you?  Read the report and decide for yourself.

As for the EMC/Documentum vulnerabilities, you can discover them in a few places:

  1. PowerLink – search PowerLink for ‘vulnerability’ and you will discover a few vulnerabilities related to Documentum, but most reside in companion or embedded products such as Java, JBoss, Tomcat and Weblogic.
  2. EMC also maintains a list of current security advisories here  (Support -> Technical Advisories and Support -> Security Advisories).  Currently, the only vulnerability listed here is for eRoom.
  3.  seclist.org – search on ‘Documentum’ and you will discover several reported vulnerability with Documentum products (mostly eRoom).  I found this post very interesting.

As for bugs/vulnerabilities that you and I introduce…read the CWE/SANS report.  I find it interesting how insidiously simple some of these errors are to commit — and correct!  With a little diligence, proactive thinking, and common sense we can all keep our code secure.  I’d be interested to know of any vulnerabilities you have found in the Documentum suite, and any other security sites you monitor for vulnerability listings.

UPDATE:  I just found the OWASP Top Ten report that examines many of the same errors/vulnerabilities from a risk perspective.  This report also provides some nice examples, descriptions, and remediations.

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

4 Responses to Top 25 Most Dangerous Software Errors and Documentum

  1. Scott
    We also have seen quite a few of vulnerabilities including “A2: Cross-Site Scripting (XSS)” which we got it fixed by adding few tags in app.xml. We have also encountered few such as A10: Unvalidated Redirects and Forwards and we use https://www.owasp.org/index.php/Top_10 for references.

    Like

  2. Yuri Simione says:

    Very interesting post, Scott. regarding security, this week EMC published a security advisory related to a privilege elevation vulnerability that I discovered some months ago. I am particularly proud of my research because what discovered is the first security alert on EMC Documentum systems in, at least, 4 years.

    You can read more on than following this link:
    http://artika.biz/2012/01/emc-security-advisory-on-emc-documentum-6-0-6-5-6-6/

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: