Experts from more than 30 U.S. and international cyber-security organizations jointly released a consensus list of the 25 most dangerous programming errors that lead to security bugs and cyber-crime.
The impact of these programming errors is significant. Just two of these errors resulted in more than 1.5 million website security breaches during 2008. These breaches allowed malicious software to take control of the computers that visited those web sites, turning their computers into zombies that committed further cyber-crimes.
Shockingly, most programmers do not understand or look for these errors. Colleges rarely teach programming students how to avoid these errors. And most software companies don’t explicitly test for these errors before releasing their products.
The organizations that helped produce this list include Microsoft, Symantec, Department of Homeland Security (DHS), National Security Agency (NSA), University of California at Davis, and Purdue University. MITRE and SANS Institute managed the Top 25 Errors initiative.
What was interesting about the process was how quickly the experts came to agreement in spite of some heated discussion. “There appears to be broad agreement on the programming errors,” says SANS Director, Mason Brown. “Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”
The security experts hope that releasing this information will result in the following key improvements in the software industry:
- Users will have access to much safer software.
- Programmers will have tools to measure the security of the software they are developing.
- Colleges will teach more secure coding practices.
- Companies will produce more secure software products.
“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology,” said Tony Sager, National Security Agency (NSA). “There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.”
Most Dangerous Programming Errors
Here are the top 25 most dangerous programming errors divided into three categories:
Insecure Interaction Between Components
- Improper Input Validation
- Improper Encoding or Escaping of Output
- Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
- Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
- Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
- Cleartext Transmission of Sensitive Information
- Cross-Site Request Forgery (CSRF)
- Race Condition
- Error Message Information Leak
Risky Resource Management
- Failure to Constrain Operations within the Bounds of a Memory Buffer
- External Control of Critical State Data
- External Control of File Name or Path
- Untrusted Search Path
- Failure to Control Generation of Code (aka ‘Code Injection’)
- Download of Code Without Integrity Check
- Improper Resource Shutdown or Release
- Improper Initialization
- Incorrect Calculation
Read about these errors in detail at the SANS Institute.
Article published on January 14, 2009
|If you like this article, please share it:|