DevTopics

Experts from more than 30 U.S. and international cyber-security organizations jointly released a consensus list of the 25 most dangerous programming errors that lead to security bugs and cyber-crime.

The impact of these programming errors is significant.  Just two of these errors resulted in more than 1.5 million website security breaches during 2008.  These breaches allowed malicious software to take control of the computers that visited those web sites, turning their computers into zombies that committed further cyber-crimes.

Shockingly, most programmers do not understand or look for these errors.  Colleges rarely teach programming students how to avoid these errors.  And most software companies don’t explicitly test for these errors before releasing their products.

Background

The organizations that helped produce this list include Microsoft, Symantec, Department of Homeland Security (DHS), National Security Agency (NSA), University of California at Davis, and Purdue University.  MITRE and SANS Institute managed the Top 25 Errors initiative.

What was interesting about the process was how quickly the experts came to agreement in spite of some heated discussion. “There appears to be broad agreement on the programming errors,” says SANS Director, Mason Brown.  “Now it is time to fix them.  First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”

Benefits

The security experts hope that releasing this information will result in the following key improvements in the software industry:

• Users will have access to much safer software.
• Programmers will have tools to measure the security of the software they are developing.
• Colleges will teach more secure coding practices.
• Companies will produce more secure software products.

“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager, National Security Agency (NSA).  “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause.  Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.”

Most Dangerous Programming Errors

Here are the top 25 most dangerous programming errors divided into three categories:

Insecure Interaction Between Components

• Improper Input Validation
• Improper Encoding or Escaping of Output
• Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
• Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
• Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
• Cleartext Transmission of Sensitive Information
• Cross-Site Request Forgery (CSRF)
• Race Condition
• Error Message Information Leak

Risky Resource Management

• Failure to Constrain Operations within the Bounds of a Memory Buffer
• External Control of Critical State Data
• External Control of File Name or Path
• Untrusted Search Path
• Failure to Control Generation of Code (aka ‘Code Injection’)
• Download of Code Without Integrity Check
• Improper Resource Shutdown or Release
• Improper Initialization
• Incorrect Calculation

Porous Defenses

• Improper Access Control (Authorization)
• Use of a Broken or Risky Cryptographic Algorithm
• Hard-Coded Password
• Insecure Permission Assignment for Critical Resource
• Use of Insufficiently Random Values
• Execution with Unnecessary Privileges
• Client-Side Enforcement of Server-Side Security

Read about these errors in detail at the SANS Institute.

Article published on January 14, 2009

If you like this article, please share it: