Experts Announce the 25 Most Dangerous Programming Errors - And How to Fix Them
Experts from more than 30 US and international cyber security organizations jointly released the list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.
The list was spearheaded by the National Security Agency.
"Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale," SANS Institute said in a press release.
The impact of these errors led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.
People and organizations that provided input to the project are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University.
Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).
The list might help improve the quality of programming classes and training programs by creating consensus about what the most common mistakes are and what developers can do to prevent them.
The errors have been broken into three categories labeled insecure interaction between components (nine errors), risky resource management (nine also) and porous defenses (seven). Mistakes include improper input validation, external control of external state data and improper access control.
Resources to Help Eliminate The Top 25 Errors
The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites www.sans.org/top25 cwe.mitre.org/top25/
MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/
SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
"Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale," SANS Institute said in a press release.
The impact of these errors led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.
People and organizations that provided input to the project are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University.
Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).
The list might help improve the quality of programming classes and training programs by creating consensus about what the most common mistakes are and what developers can do to prevent them.
The errors have been broken into three categories labeled insecure interaction between components (nine errors), risky resource management (nine also) and porous defenses (seven). Mistakes include improper input validation, external control of external state data and improper access control.
Resources to Help Eliminate The Top 25 Errors
The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites www.sans.org/top25 cwe.mitre.org/top25/
MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/
SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
